Loading ...

Play interactive tourEdit tour

Analysis Report 3F97s4aQjB.xlsx

Overview

General Information

Sample Name:3F97s4aQjB.xlsx
Analysis ID:432818
MD5:1ac719c744d22f42e4978e7b55828435
SHA1:4ddc7358f615987bf92ed9192430693db65b097c
SHA256:d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6564 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6852 cmdline: wmic process call create 'C:/Users/Public/SettingSyncHost' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • SettingSyncHost (PID: 7044 cmdline: C:/Users/Public/SettingSyncHost MD5: 526D56017EF5105277FE0D366C95C39D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6564, ProcessCommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', ProcessId: 6852

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: injuryless.comVirustotal: Detection: 7%Perma Link
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].pngJoe Sandbox ML: detected
    Source: C:\Users\Public\SettingSyncHostJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: unknownHTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.3:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.3:49727 version: TLS 1.2
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FCCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: logo[1].png.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
    Source: excel.exeMemory has grown: Private usage: 1MB later: 92MB
    Source: global trafficDNS query: name: pigeonious.com
    Source: global trafficTCP traffic: 192.168.2.3:49724 -> 95.142.44.93:443
    Source: global trafficTCP traffic: 192.168.2.3:49724 -> 95.142.44.93:443
    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS traffic detected: queries for: pigeonious.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.cortana.ai
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.office.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.onedrive.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://augloop.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cdn.entity.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cortana.ai
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cortana.ai/api
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://cr.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://directory.services.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://graph.windows.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://graph.windows.net/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://login.windows.local
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://management.azure.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://management.azure.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://messaging.office.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://officeapps.live.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://onedrive.live.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://outlook.office.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: hats.xmlString found in binary or memory: https://pigeonious.com/img/logo.png
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://settings.outlook.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://tasks.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownHTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.3:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.3:49727 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: Enable Editing" and then "Enable Content" button. O O ConMecmal ej 2021 USPS All Rghts O " CD
    Source: Screenshot number: 8Screenshot OCR: Enable Content" button. O O ConMecmal ej 2021 USPS All Rghts O " CD Ready O Type here to sea
    Contains functionality to create processes via WMIShow sources
    Source: WMIC.exe, 00000002.00000002.224991249.0000000000700000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:/Users/Public/SettingSyncHost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: 3F97s4aQjB.xlsxInitial sample: Sheet size: 480182
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].pngJump to dropped file
    Source: C:\Users\Public\SettingSyncHostProcess Stats: CPU usage > 98%
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FE40F0
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F9C8A0
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FF4883
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FF49A3
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FAA133
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA8A86
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FE7204
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA9BB9
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA7C9A
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FCE5D0
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FDED5B
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA9526
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA9E34
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F95E1E
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA57E8
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA8FD5
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FB17A0
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FF170D
    Source: C:\Users\Public\SettingSyncHostCode function: String function: 00F9A560 appears 31 times
    Source: classification engineClassification label: mal100.expl.evad.winXLSX@5/12@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F3604315-A9D5-4512-AFDE-51636B3316A2} - OProcSessId.datJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\Public\SettingSyncHostFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\Public\SettingSyncHostFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\Public\SettingSyncHost C:/Users/Public/SettingSyncHost
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 3F97s4aQjB.xlsxInitial sample: OLE zip file path = xl/media/image1.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F91070 LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FF5CA5 push ecx; ret
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F9A5A5 push ecx; ret

    Persistence and Installation Behavior:

    barindex
    Creates processes via WMIShow sources
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].pngJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].pngJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\SettingSyncHostCode function: GetAdaptersInfo,GetAdaptersInfo,
    Source: C:\Users\Public\SettingSyncHostEvasive API call chain: GetLocalTime,DecisionNodes
    Source: C:\Users\Public\SettingSyncHostAPI coverage: 7.1 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FCCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,
    Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\Public\SettingSyncHostProcess information queried: ProcessInformation
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F950DA MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F91070 LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FE105A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FEA4CE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F91FE0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FA045E VirtualQuery,GetModuleFileNameW,GetPdbDll,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F99082 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FDE083 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FD94F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F93C21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: Yara matchFile source: app.xml, type: SAMPLE
    Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\Public\SettingSyncHostCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
    Source: C:\Users\Public\SettingSyncHostCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
    Source: C:\Users\Public\SettingSyncHostCode function: EnumSystemLocalesW,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoW,
    Source: C:\Users\Public\SettingSyncHostCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
    Source: C:\Users\Public\SettingSyncHostCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
    Source: C:\Users\Public\SettingSyncHostCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
    Source: C:\Users\Public\SettingSyncHostCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
    Source: C:\Users\Public\SettingSyncHostCode function: EnumSystemLocalesW,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoA,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
    Source: C:\Users\Public\SettingSyncHostCode function: __crtGetLocaleInfoA_stat,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
    Source: C:\Users\Public\SettingSyncHostCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
    Source: C:\Users\Public\SettingSyncHostCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
    Source: C:\Users\Public\SettingSyncHostCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoA,___ascii_strnicmp,__tolower_l,__tolower_l,
    Source: C:\Users\Public\SettingSyncHostCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
    Source: C:\Users\Public\SettingSyncHostCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
    Source: C:\Users\Public\SettingSyncHostCode function: GetLocaleInfoA,
    Source: C:\Users\Public\SettingSyncHostCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
    Source: C:\Users\Public\SettingSyncHostCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
    Source: C:\Users\Public\SettingSyncHostCode function: EnumSystemLocalesW,
    Source: C:\Users\Public\SettingSyncHostCode function: EnumSystemLocalesW,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00F930E0 GetLocalTime,@_RTC_CheckStackVars@8,
    Source: C:\Users\Public\SettingSyncHostCode function: 4_2_00FCBF90 SHGetFolderPathA,GetUserNameA,GetComputerNameExA,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading121OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsNative API2Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery14Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    3F97s4aQjB.xlsx7%VirustotalBrowse
    3F97s4aQjB.xlsx2%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png100%Joe Sandbox ML
    C:\Users\Public\SettingSyncHost100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    injuryless.com8%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    injuryless.com
    193.178.169.243
    truetrueunknown
    pigeonious.com
    95.142.44.93
    truefalse
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
        high
        https://login.microsoftonline.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
          high
          https://shell.suite.office.com:144362CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
            high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
              high
              https://autodiscover-s.outlook.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                  high
                  https://cdn.entity.62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://api.addins.omex.office.net/appinfo/query62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                    high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                      high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                        high
                        https://powerlift.acompli.net62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://lookup.onenote.com/lookup/geolocation/v162CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                          high
                          https://cortana.ai62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                            high
                            https://cloudfiles.onenote.com/upload.aspx62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                              high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                high
                                https://entitlement.diagnosticssdf.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                  high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                    high
                                    https://api.aadrm.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                      high
                                      https://api.microsoftstream.com/api/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                        high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                          high
                                          https://cr.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                            high
                                            https://portal.office.com/account/?ref=ClientMeControl62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                              high
                                              https://graph.ppe.windows.net62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptionevents62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.net62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/work62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplate62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                      high
                                                      https://globaldisco.crm.dynamics.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                          high
                                                          https://store.officeppe.com/addinstemplate62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://dev0-api.acompli.net/autodetect62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.ms62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.powerbi.com/v1.0/myorg/groups62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                              high
                                                              https://graph.windows.net62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/api62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetect62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.json62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                      high
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                          high
                                                                          https://ncus.contentsync.62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspx62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                    high
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                      high
                                                                                      https://management.azure.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                        high
                                                                                        https://wus2.contentsync.62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://incidents.diagnostics.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/ios62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmedia62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/Activities62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.net62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policies62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                high
                                                                                                                https://templatelogging.office.com/client/log62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office365.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                    high
                                                                                                                    https://webshell.suite.office.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                      high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                        high
                                                                                                                        https://management.azure.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                          high
                                                                                                                          https://login.windows.net/common/oauth2/authorize62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                            high
                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            unknown
                                                                                                                            https://graph.windows.net/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                              high
                                                                                                                              https://api.powerbi.com/beta/myorg/imports62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                high
                                                                                                                                https://devnull.onenote.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://ncus.pagecontentsync.62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  unknown
                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://messaging.office.com/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://augloop.office.com/v262CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://skyapi.live.net/Activity/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://clients.config.office.net/user/v1.0/mac62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://dataservice.o365filtering.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://api.cortana.ai62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://onedrive.live.com62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://ovisualuiapp.azurewebsites.net/pbiagave/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                https://visio.uservoice.com/forums/368202-visio-on-devices62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://directory.services.62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://login.windows-ppe.net/common/oauth2/authorize62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://staging.cortana.ai62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://loki.delve.office.com/api/v1/configuration/officewin32/62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.drfalse
                                                                                                                                                      high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      193.178.169.243
                                                                                                                                                      injuryless.comunknown
                                                                                                                                                      48282VDSINA-ASRUtrue
                                                                                                                                                      95.142.44.93
                                                                                                                                                      pigeonious.comRussian Federation
                                                                                                                                                      210079EUROBYTEEurobyteLLCMoscowRussiaRUfalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                      Analysis ID:432818
                                                                                                                                                      Start date:10.06.2021
                                                                                                                                                      Start time:19:28:46
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 12m 39s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:3F97s4aQjB.xlsx
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:38
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.expl.evad.winXLSX@5/12@2/2
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 53.5% (good quality ratio 49.2%)
                                                                                                                                                      • Quality average: 82.5%
                                                                                                                                                      • Quality standard deviation: 30.7%
                                                                                                                                                      HCA Information:Failed
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .xlsx
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 52.109.88.177, 52.109.12.23, 52.109.88.37, 168.61.161.212, 104.43.139.144, 184.30.20.56, 51.103.5.159, 20.190.160.4, 20.190.160.73, 20.190.160.69, 20.190.160.75, 20.190.160.132, 20.190.160.129, 20.190.160.8, 20.190.160.71, 20.50.102.62, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.209.183, 20.75.105.140, 20.72.88.19, 20.190.159.137, 40.126.31.7, 40.126.31.2, 40.126.31.136, 40.126.31.5, 40.126.31.140, 20.190.159.131, 40.126.31.142, 40.127.240.158, 204.79.197.200, 13.107.21.200
                                                                                                                                                      • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.trafficmanager.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      19:29:44API Interceptor1x Sleep call for process: WMIC.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      193.178.169.243tmp_Client-Status-062021-952177.vbsGet hashmaliciousBrowse

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        injuryless.comtmp_Client-Status-062021-952177.vbsGet hashmaliciousBrowse
                                                                                                                                                        • 193.178.169.243

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        VDSINA-ASRUuew5jAHqCT.exeGet hashmaliciousBrowse
                                                                                                                                                        • 109.234.38.213
                                                                                                                                                        APPkj4zf3F.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.93.224
                                                                                                                                                        tmp_Client-Status-062021-952177.vbsGet hashmaliciousBrowse
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        N1LUjx76rV.exeGet hashmaliciousBrowse
                                                                                                                                                        • 109.234.35.229
                                                                                                                                                        0izHwHXyfm.exeGet hashmaliciousBrowse
                                                                                                                                                        • 109.234.35.229
                                                                                                                                                        gtJl8IPauk.exeGet hashmaliciousBrowse
                                                                                                                                                        • 109.234.35.229
                                                                                                                                                        tAL6n3gs6p.exeGet hashmaliciousBrowse
                                                                                                                                                        • 109.234.35.229
                                                                                                                                                        f1GoI1S7Qi.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.93.224
                                                                                                                                                        SecuriteInfo.com.Troj.Kryptik-TR.10844.exeGet hashmaliciousBrowse
                                                                                                                                                        • 193.178.170.41
                                                                                                                                                        SecuriteInfo.com.Troj.Kryptik-TR.30930.exeGet hashmaliciousBrowse
                                                                                                                                                        • 193.178.170.41
                                                                                                                                                        S5.exeGet hashmaliciousBrowse
                                                                                                                                                        • 62.113.114.79
                                                                                                                                                        A5A2471193648C16E45C9C053C8672A3F71F21862388C.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.85.106
                                                                                                                                                        PZ33n8HQNu.exeGet hashmaliciousBrowse
                                                                                                                                                        • 62.113.119.33
                                                                                                                                                        VofcOsB5QO.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.86.101
                                                                                                                                                        8vH1bonSn8.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.86.101
                                                                                                                                                        87PLLTuhpG.exeGet hashmaliciousBrowse
                                                                                                                                                        • 178.208.83.27
                                                                                                                                                        AC09B75D9728CEA73319605AEE734B0B776E2D1677914.exeGet hashmaliciousBrowse
                                                                                                                                                        • 195.2.78.227
                                                                                                                                                        file3.exeGet hashmaliciousBrowse
                                                                                                                                                        • 62.113.117.9
                                                                                                                                                        6a867c08_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                        • 94.103.86.101
                                                                                                                                                        3ef7f0d9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                        • 62.113.117.9
                                                                                                                                                        EUROBYTEEurobyteLLCMoscowRussiaRUtemplate-jn02b3.dotGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.40.220
                                                                                                                                                        PREMIUM FINANCE AGREEMENT.docxGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.40.241
                                                                                                                                                        PREMIUM FINANCE AGREEMENT.docxGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.40.220
                                                                                                                                                        l8Cu5Vky6C.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.52.100
                                                                                                                                                        l8Cu5Vky6C.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.52.100
                                                                                                                                                        PooYhdlQZY.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.52.100
                                                                                                                                                        PooYhdlQZY.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.52.100
                                                                                                                                                        sUeyYgEiCb.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.52.100
                                                                                                                                                        794c5aa1_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        njAzoIkDJu.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        U92T8qzIbi.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        rUUR0qQI22.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        scan_DHL39382493.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.34
                                                                                                                                                        3UiiwuZ4YR.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.135
                                                                                                                                                        5WIxZYV73V.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        0anROWjIhR.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        fast.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19
                                                                                                                                                        kinsing2Get hashmaliciousBrowse
                                                                                                                                                        • 185.154.53.140
                                                                                                                                                        kinsingGet hashmaliciousBrowse
                                                                                                                                                        • 185.154.53.140
                                                                                                                                                        WVaiL4J4cc.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.105.109.19

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        ATT00005.htmGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        kxjeAvsg1v.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        VSA75RUmYZ.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        iX22xMeXIc.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        QWkt5w3cO2.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        vTtOheCXBQ.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        Check 57549.HtmlGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        audit-78958169.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        Docc.htmlGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        askinstall39.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        Lista e porosive.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        askinstall39.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.46459351.411.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        Yl6482CO6U.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        ZmZvKByoew.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        V2GC02n03l.exeGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243
                                                                                                                                                        research-1315978726.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 95.142.44.93
                                                                                                                                                        • 193.178.169.243

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\Public\SettingSyncHost
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):511488
                                                                                                                                                        Entropy (8bit):7.3404073760047375
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N
                                                                                                                                                        MD5:526D56017EF5105277FE0D366C95C39D
                                                                                                                                                        SHA1:78A40D523F4B887B2383681FECE447EF911C24EF
                                                                                                                                                        SHA-256:28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
                                                                                                                                                        SHA-512:F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....,...,...,..,...,...,...,...,...,...,...,...,...,.).,...,..,...,...,...,Rich...,........................PE..L......`.....................~......#.............@..........................P............@.....................................(.......6.................... .......................................................................................text...9........................... ..`.rdata..............................@..@.data...|....p.......X..............@....idata...............r..............@....rsrc...6............~..............@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\62CC7D8B-1994-4449-80B7-33F7D65A3F46
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):134922
                                                                                                                                                        Entropy (8bit):5.369120137160444
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:6cQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:qEQ9DQW+ziXOe
                                                                                                                                                        MD5:0A1F23FF748ABC83EE1A72CDC88321CC
                                                                                                                                                        SHA1:4BC44446EB9EFC70B3906CCB9C2027CFB370DC9A
                                                                                                                                                        SHA-256:A05BF9F74150184E3664C14A9B042AF23BB0A75DBA671DB351A1172FF550A47B
                                                                                                                                                        SHA-512:6CE5A0DC7CB9A2749451DE3752DCF2E8A37CFDC6B19C53E79782CC00859C1E4333474641E76EE975EAA169CE136E9A4A7771532866437CDBE49DEA5E8EE7047E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-10T17:29:39">.. Build: 16.0.14209.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\96E7ABF8.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 2186 x 1539, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):462772
                                                                                                                                                        Entropy (8bit):7.968569347884841
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:yycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAdee:yQMfYBVf1xBARkgaNyr
                                                                                                                                                        MD5:5D1C907B7A28ED91D8A704A7CE928FAF
                                                                                                                                                        SHA1:FA56635F0C2A6D93DABE3E0636DADEAECDFCE804
                                                                                                                                                        SHA-256:AD72EF87E54764A13E87BBD446029F48D70114B120E6DA7025947B1D51554486
                                                                                                                                                        SHA-512:52A22A801395A467AABC02B4C24236FCAC4197407FC0F5C4B0D9C79C8DFB9A5DD0D935C67A7730B7EBFCD80013967F392D48D6E697A09E684BCDC62F7DBB6376
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: .PNG........IHDR..............I.\....sRGB.........gAMA......a.....pHYs..!...!..........IDATx^...W.Y.7~...o=.33..&+..9.q.H..1..1.b..9+.P0G.E...T..$%.wk.......i..Y{.r.S....s..................!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z..
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:downloaded
                                                                                                                                                        Size (bytes):511488
                                                                                                                                                        Entropy (8bit):7.3404073760047375
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N
                                                                                                                                                        MD5:526D56017EF5105277FE0D366C95C39D
                                                                                                                                                        SHA1:78A40D523F4B887B2383681FECE447EF911C24EF
                                                                                                                                                        SHA-256:28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
                                                                                                                                                        SHA-512:F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Reputation:low
                                                                                                                                                        IE Cache URL:https://pigeonious.com/img/logo.png
                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....,...,...,..,...,...,...,...,...,...,...,...,...,.).,...,..,...,...,...,Rich...,........................PE..L......`.....................~......#.............@..........................P............@.....................................(.......6.................... .......................................................................................text...9........................... ..`.rdata..............................@..@.data...|....p.......X..............@....idata...............r..............@....rsrc...6............~..............@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\9B810000
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1041071
                                                                                                                                                        Entropy (8bit):7.855849071117974
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:Ip4WH4vcCRa6p1RtTycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAde+:G4vdRa6p1Rt/QMfYBVf1xBARkgaNyt
                                                                                                                                                        MD5:E20BC69C6969DDBF5D19950216EBCC79
                                                                                                                                                        SHA1:60809A68836DCE9E7B5959B9D975427C3DDE0122
                                                                                                                                                        SHA-256:FDED8F0DDE8CF5DEACFB80DE6420A3CCD4F30971ACC364FF9DB855DE3D86AA4A
                                                                                                                                                        SHA-512:C48879E97FC9DBBFA30C8554A1B21BC8D36B080F4AD6D4C0223C5F994C47BE4986ECEEBA038E4617EF4D8D65106E21FEA79042997BF107F2921828B35DCEE16D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: .T.n.0....?..........C....I?`M.%.|..$..w);n..V.....;3;...f.l...L.jf.B..6.k.....QQ......."......6"U...}...zt@M..9...A.....j......T.g....C,..q.O6W..^.)Y./.o.}.....5.2...^.!..je...C7.....1;..d.1=`.\..y.3....qEsY?....4.{....J..D.d.N0..i..y?....X.C.w..-...%..2.us.....B...5.T.....9..*<.4..RI...)...GhJASY.......DG.k.rx........B.[...O.T...c.!.~..@....7.....H.......:....>.H<..Nw...Kv...S6x..c.t`.i....2N5.#.r..........PK..........!..j0.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3F97s4aQjB.xlsx.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Fri Jun 11 01:29:42 2021, atime=Fri Jun 11 01:29:42 2021, length=1040132, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2120
                                                                                                                                                        Entropy (8bit):4.714364232851571
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:8zNDaX/da9OUAJHaD0nKD7aB6myzNDaX/da9OUAJHaD0nKD7aB6m:8zNONJDnKaB6pzNONJDnKaB6
                                                                                                                                                        MD5:B472516A8AC5D58E2AC16C39CD89EC38
                                                                                                                                                        SHA1:8ADE9F104953A38DA6917729E309528DD86C2E7C
                                                                                                                                                        SHA-256:3677EBF291B1C7954ADB892D9D37686C0520C71F33EFF9F8D305985E09D5E0AC
                                                                                                                                                        SHA-512:4DFC0887B9E26EE12B7D70CD543C2C3105EE9753746005B86D520EBFC52C50E787818F42A05EC120FA1F52FB927AE7A93DAFA1FCD40624E1E8A29439683E5EB0
                                                                                                                                                        Malicious:true
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: L..................F.... ....2..:....Bm.i^....j.i^...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.......S......................].h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..R.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2.5&...R.. .3F97S4~1.XLS..P......>Qvx.R......h.........................3.F.9.7.s.4.a.Q.j.B...x.l.s.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\3F97s4aQjB.xlsx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3.F.9.7.s.4.a.Q.j.B...x.l.s.x.........:..,.LB.)...As...`.......X.......035347...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Fri Jun 11 01:29:41 2021, atime=Fri Jun 11 01:29:41 2021, length=12288, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):904
                                                                                                                                                        Entropy (8bit):4.652208144122537
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8YrXUwcuElPCH2AaSY3ouIk+WrjAZ/2bD/LC5Lu4t2Y+xIBjKZm:8cDatAZiD+87aB6m
                                                                                                                                                        MD5:86C3AEC66964F8B6866416E31E93962D
                                                                                                                                                        SHA1:3C2C30D348DA6A080E03B52ED039E806F29420D2
                                                                                                                                                        SHA-256:BC2C38396F73A0F45177582F64F18992E369E9955EAA89B3DB11823DB19FF1A0
                                                                                                                                                        SHA-512:7F6EB1D91A178E2E39ABBE6560701395E4E9C6F5E1D0F3E4516E33A27D672EF3CB59756004835213BF5935B68946580A7346DD242648B8F61614EC081D103DA2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: L..................F........N....-..NDN.i^..NDN.i^...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.......S......................].h.a.r.d.z.....~.1......R....Desktop.h.......Ny..R.......Y..............>.......".D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......035347...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):100
                                                                                                                                                        Entropy (8bit):4.721266094754729
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:oyBVomxWV2npWrXCMjD2npWrXCmxWV2npWrXCv:djlW3KWvWI
                                                                                                                                                        MD5:4651D7899D0089D49B209C1EEFFC6F66
                                                                                                                                                        SHA1:272A788D9B7814F71C0E53A39A8457512DD43BC2
                                                                                                                                                        SHA-256:7DD3385C0FA67DE6A3477E1E63F4598339456786CC8C0E4B36F667A7D3BAB4FC
                                                                                                                                                        SHA-512:93F4F6602DDC965678EB92C40E9C73174C52A2CBC8D111181744E646380B5E41F0197925086ED935B75D1C5627FBE684C373081B73404FC1CBCEB329959B9BC0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: Desktop.LNK=0..[misc]..3F97s4aQjB.xlsx.LNK=0..3F97s4aQjB.xlsx.LNK=0..[misc]..3F97s4aQjB.xlsx.LNK=0..
                                                                                                                                                        C:\Users\user\Desktop\EC810000
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1040132
                                                                                                                                                        Entropy (8bit):7.8545301896779085
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:lQPPPPPD5rIf8w195QMfYBVf1xBARkgaNyn:BQMQh/m6Nyn
                                                                                                                                                        MD5:90305FD4215DD8A8785DC7F6DD4143A6
                                                                                                                                                        SHA1:A90ED0830BF373E01681C2B491101CD5AF1904A2
                                                                                                                                                        SHA-256:384AC8CE1FF6CF1E8DBDF47CE04898887D669811B982655881FD2FB6F8BCED4D
                                                                                                                                                        SHA-512:50D827E068818BB082EB80487D4CF76C8D835CB6BEAA950F1A4BD6185C61F59F0F34328F3154CBA5274C49F3778878E315B173B5470D46482D674FD3BECB0851
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: .T.N.0..#....(q..!...G@j...o...my...=kS...P.J\.3...&.....8[..b 2.....x.=."CRV..Y(..PL......f\m.........:...`yg.B...C-.....9..nd.,..."....`.>Z..W.....X.....T.P..R.B...-...................0c...7.B......4]...wW.h.....W.V.1...=.qg......`0..W..Yu.\....s..0H_3..E....}.?.F.^.g...K.=u..I.......[.`.4..n..=..z..Q......g........g. 7.....:..!...G.......X.{..@.~Cb.e.e.<y..SX...-S........PK..........!...vR....6.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.......BKwAH.!T~.I....
                                                                                                                                                        C:\Users\user\Desktop\~$3F97s4aQjB.xls
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):165
                                                                                                                                                        Entropy (8bit):1.6081032063576088
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                        MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                        SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                        SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                        SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                        Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        C:\Users\user\Desktop\~$3F97s4aQjB.xlsx
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):330
                                                                                                                                                        Entropy (8bit):1.6081032063576088
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                        MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                        SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                        SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                        SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                        Malicious:true
                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                        Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        \Device\ConDrv
                                                                                                                                                        Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):160
                                                                                                                                                        Entropy (8bit):5.083203110114614
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglVvlJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/eg3leAin
                                                                                                                                                        MD5:04F5182CC4DB0183A73CC7E970598ED7
                                                                                                                                                        SHA1:B8E7038F8D7FA64B8FC04EFEBB0100998379C772
                                                                                                                                                        SHA-256:BB316A44410761BABF389A30CA439E952E13C90178E4D3E9C54F45B83998EBE0
                                                                                                                                                        SHA-512:C875CC61B3E6DBDACFD26D6FA0D28F134572D1C8EF955357A2C40BC3B6FF6A6637C325B0237D1DA7E281595A85197E74B54C7FC4FA57B17C9E09F7913A64C199
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7044;...ReturnValue = 0;..};....

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                        Entropy (8bit):7.994144310692157
                                                                                                                                                        TrID:
                                                                                                                                                        • Excel Microsoft Office Binary workbook document (47504/1) 49.73%
                                                                                                                                                        • Excel Microsoft Office Open XML Format document (40004/1) 41.88%
                                                                                                                                                        • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                                                        File name:3F97s4aQjB.xlsx
                                                                                                                                                        File size:468533
                                                                                                                                                        MD5:1ac719c744d22f42e4978e7b55828435
                                                                                                                                                        SHA1:4ddc7358f615987bf92ed9192430693db65b097c
                                                                                                                                                        SHA256:d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb
                                                                                                                                                        SHA512:736bcf96ca99c893c535c555133a092400e1dbc5f5143500d152c537bccc9d3faf7d541b3b11be82b68bbf4c7a1528c5fa3b45394d5b2b958c4d1d4d024e7d22
                                                                                                                                                        SSDEEP:12288:ag+iWCVTHlJFnI6TDEeTSH/NJDjXcXdeanuxZ2:4iVVTHxNcoSJDK1nuxA
                                                                                                                                                        File Content Preview:PK...........R................docProps/PK..........!.,...............docProps/app.xml.S.N.0.....`.N...Zu.#T.XQ.....u&.EbG.......m.ZNp{3o........"-8....x.Q.F.\.ML......x.&..5...xz-...Kg.p... a|LK.f..W%....m.SXWK...0[.Z..U.5.d.Qt.`.`r./.^..)N[..hn.....vM...

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74ecd0d2d6d6d0dc

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OpenXML
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "3F97s4aQjB.xlsx"

                                                                                                                                                        Indicators

                                                                                                                                                        Has Summary Info:
                                                                                                                                                        Application Name:
                                                                                                                                                        Encrypted Document:
                                                                                                                                                        Contains Word Document Stream:
                                                                                                                                                        Contains Workbook/Book Stream:
                                                                                                                                                        Contains PowerPoint Document Stream:
                                                                                                                                                        Contains Visio Document Stream:
                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                        Flash Objects Count:
                                                                                                                                                        Contains VBA Macros:

                                                                                                                                                        Macro 4.0 Code

                                                                                                                                                        ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                        Network Behavior

                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                        06/10/21-19:29:51.613358ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jun 10, 2021 19:29:43.258378983 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.336587906 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.336781979 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.337631941 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.415893078 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.415950060 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.415990114 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.416032076 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.416059971 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.416095018 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.416150093 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.416157007 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.416161060 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.417321920 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.417413950 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.435136080 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.513605118 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.513775110 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.514929056 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593521118 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593578100 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593615055 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593641996 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593655109 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593673944 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593679905 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593693018 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593698978 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593744040 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593754053 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593787909 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593801975 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593828917 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593853951 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593871117 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593875885 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593909979 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.593928099 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.593962908 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672254086 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672313929 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672349930 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672365904 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672389984 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672410011 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672415972 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672430038 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672449112 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672468901 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672497988 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672511101 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672522068 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672554016 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672568083 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672604084 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672606945 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672646999 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672655106 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672684908 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672698021 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672725916 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672734022 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672765017 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672780991 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672804117 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672816992 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672842979 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672852039 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672879934 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672894001 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672926903 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.672930956 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672972918 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.672985077 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.673012018 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.673027992 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.673051119 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.673064947 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.673100948 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751229048 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751271009 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751307011 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751346111 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751380920 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751396894 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751418114 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751431942 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751437902 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751441956 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751446009 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751455069 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751470089 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751499891 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751517057 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751539946 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751554012 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751576900 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751591921 CEST49724443192.168.2.395.142.44.93
                                                                                                                                                        Jun 10, 2021 19:29:43.751615047 CEST4434972495.142.44.93192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.751627922 CEST49724443192.168.2.395.142.44.93

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jun 10, 2021 19:29:26.869281054 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:26.919629097 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:27.712269068 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:27.767049074 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:30.299875021 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:30.350756884 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:31.149571896 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:31.202770948 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:31.946738005 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:31.999885082 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:32.823888063 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:32.877093077 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:35.992733955 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:36.043184996 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:38.526139975 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:38.576669931 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:39.581397057 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:39.675406933 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:40.068955898 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:40.119657993 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:40.349926949 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:40.421042919 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:41.355870008 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:41.429215908 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:42.421807051 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:42.480777979 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.004868031 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:43.055016994 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:43.196017981 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:43.256313086 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:44.098253012 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:44.148494005 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:44.418675900 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:44.477164030 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:45.140666962 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:45.190901995 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:46.281454086 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:46.301975012 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:46.346998930 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:46.363143921 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:47.237745047 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:47.299107075 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:48.465703011 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:48.524168968 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:49.064505100 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:49.116206884 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:51.561351061 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:51.613240957 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:52.787976980 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:52.838251114 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:29:53.757215023 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:29:53.807754040 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:30:04.632174969 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:30:04.693382978 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:30:23.215066910 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:30:23.276669979 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:30:55.990628958 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:30:56.051986933 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:30:56.819478989 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:30:56.886271000 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:31:12.039289951 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:31:12.111557961 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:31:25.904824018 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:31:25.966299057 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:31:32.244328022 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:31:32.305917025 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:02.641453028 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:02.709626913 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:04.067090988 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:04.145922899 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:22.280401945 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:22.575020075 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:24.563946009 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:24.622960091 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:25.961316109 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:26.097450018 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:26.903242111 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:26.965243101 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:27.928541899 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:27.978883028 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:28.978029966 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:29.038048029 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:31.757529974 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:31.817420959 CEST53629388.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:33.720979929 CEST5570853192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:33.779915094 CEST53557088.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:35.097579002 CEST5680353192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:35.157727003 CEST53568038.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:35.949721098 CEST5714553192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:36.010384083 CEST53571458.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:32:40.719794989 CEST5535953192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:32:40.779256105 CEST53553598.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:34:21.674874067 CEST5830653192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:34:21.744677067 CEST53583068.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:34:22.191497087 CEST6412453192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:34:22.265377045 CEST53641248.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:34:25.343003988 CEST4936153192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:34:25.412002087 CEST53493618.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:34:29.503706932 CEST6315053192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:34:29.564973116 CEST53631508.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:34:29.899662018 CEST5327953192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:34:29.963212013 CEST53532798.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:37:29.134620905 CEST5688153192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:37:29.206645966 CEST53568818.8.8.8192.168.2.3
                                                                                                                                                        Jun 10, 2021 19:37:32.832544088 CEST5364253192.168.2.38.8.8.8
                                                                                                                                                        Jun 10, 2021 19:37:32.912306070 CEST53536428.8.8.8192.168.2.3

                                                                                                                                                        ICMP Packets

                                                                                                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                        Jun 10, 2021 19:29:51.613358021 CEST192.168.2.38.8.8.8d077(Port unreachable)Destination Unreachable

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                        Jun 10, 2021 19:29:43.196017981 CEST192.168.2.38.8.8.80x8251Standard query (0)pigeonious.comA (IP address)IN (0x0001)
                                                                                                                                                        Jun 10, 2021 19:29:46.281454086 CEST192.168.2.38.8.8.80x8f87Standard query (0)injuryless.comA (IP address)IN (0x0001)

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                        Jun 10, 2021 19:29:43.256313086 CEST8.8.8.8192.168.2.30x8251No error (0)pigeonious.com95.142.44.93A (IP address)IN (0x0001)
                                                                                                                                                        Jun 10, 2021 19:29:46.346998930 CEST8.8.8.8192.168.2.30x8f87No error (0)injuryless.com193.178.169.243A (IP address)IN (0x0001)
                                                                                                                                                        Jun 10, 2021 19:30:56.051986933 CEST8.8.8.8192.168.2.30x5e57No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jun 10, 2021 19:34:21.744677067 CEST8.8.8.8192.168.2.30xdb4bNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                        HTTPS Packets

                                                                                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                        Jun 10, 2021 19:29:43.417321920 CEST95.142.44.93443192.168.2.349724CN=pigeonious.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Jun 08 15:19:13 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Mon Sep 06 15:19:13 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                        CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                        CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024
                                                                                                                                                        Jun 10, 2021 19:29:46.487052917 CEST193.178.169.243443192.168.2.349727CN=injuryless.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu May 27 15:42:29 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Wed Aug 25 15:42:29 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                        CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                        CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Start time:19:29:37
                                                                                                                                                        Start date:10/06/2021
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                        Imagebase:0x12e0000
                                                                                                                                                        File size:27110184 bytes
                                                                                                                                                        MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:19:29:43
                                                                                                                                                        Start date:10/06/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:wmic process call create 'C:/Users/Public/SettingSyncHost'
                                                                                                                                                        Imagebase:0x13c0000
                                                                                                                                                        File size:391680 bytes
                                                                                                                                                        MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate

                                                                                                                                                        General

                                                                                                                                                        Start time:19:29:43
                                                                                                                                                        Start date:10/06/2021
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                        File size:625664 bytes
                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:19:29:44
                                                                                                                                                        Start date:10/06/2021
                                                                                                                                                        Path:C:\Users\Public\SettingSyncHost
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:/Users/Public/SettingSyncHost
                                                                                                                                                        Imagebase:0xf90000
                                                                                                                                                        File size:511488 bytes
                                                                                                                                                        MD5 hash:526D56017EF5105277FE0D366C95C39D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Reset < >