Play interactive tour

Edit tour

Windows Analysis Report Seafood Order and Company Profile.xlsx

Overview

General Information

Sample Name:	Seafood Order and Company Profile.xlsx
Analysis ID:	435320
MD5:	4c9867155a69c0e089cbf6e287442798
SHA1:	72fd5acd0ce33714c3aff9e837af3be0db733800
SHA256:	9fcc8435ac8254ae9b1dea93cff53098e94d193ea4edef5b5300e7c8f0328d2c
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Allocates a big amount of memory (probably used for heap spraying)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6092 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Seafood Order and Company Profile.xlsx	Virustotal: Detection: 31%			Perma Link
Source: Seafood Order and Company Profile.xlsx	ReversingLabs: Detection: 30%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 1MB later: 145MB

Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 73C09E83.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.cortana.ai
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.office.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.onedrive.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://augloop.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cdn.entity.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cortana.ai
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cortana.ai/api
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://cr.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://directory.services.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://graph.windows.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://graph.windows.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://login.windows.local
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://management.azure.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://management.azure.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://messaging.office.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://officeapps.live.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://onedrive.live.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://osi.office.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://outlook.office.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://settings.outlook.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://tasks.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: Seafood Order and Company Profile.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal48.winXLSX@1/21@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{BD94112B-6D50-4E82-ABF0-093C4CADE457} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Seafood Order and Company Profile.xlsx	Virustotal: Detection: 31%
Source: Seafood Order and Company Profile.xlsx	ReversingLabs: Detection: 30%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: Seafood Order and Company Profile.xlsx

Static file information: File size 1315840 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: Seafood Order and Company Profile.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Seafood Order and Company Profile.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Seafood Order and Company Profile.xlsx

Stream path 'EncryptedPackage' entropy: 7.9998536578 (max. 8.0)

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Extra Window Memory Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Extra Window Memory Injection1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Seafood Order and Company Profile.xlsx	31%	Virustotal		Browse
Seafood Order and Company Profile.xlsx	30%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://login.microsoftonline.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://shell.suite.office.com:1443	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://autodiscover-s.outlook.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://cdn.entity.	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://powerlift.acompli.net	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://cortana.ai	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://api.aadrm.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://api.microsoftstream.com/api/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://cr.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://graph.ppe.windows.net	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://officeci.azurewebsites.net/api/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://store.office.cn/addinstemplate	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://globaldisco.crm.dynamics.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://store.officeppe.com/addinstemplate	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://web.microsoftstream.com/video/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://graph.windows.net	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://dataservice.o365filtering.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://ncus.contentsync.	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
http://weather.service.msn.com/data.aspx	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://apis.live.net/v5.0/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://management.azure.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://wus2.contentsync.	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://api.office.net	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://incidents.diagnosticssdf.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://entitlement.diagnostics.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://outlook.office.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://templatelogging.office.com/client/log	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://outlook.office365.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://webshell.suite.office.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://management.azure.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://devnull.onenote.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://ncus.pagecontentsync.	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://messaging.office.com/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://augloop.office.com/v2	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://skyapi.live.net/Activity/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://dataservice.o365filtering.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://directory.services.	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high
https://staging.cortana.ai	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	CF8173CA-C5F2-4111-899E-6E65886A2D62.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435320
Start date:	16.06.2021
Start time:	12:22:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Seafood Order and Company Profile.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winXLSX@1/21@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 52.147.198.201, 13.88.21.125, 104.42.151.234, 52.109.88.177, 52.109.12.24, 52.109.8.23, 184.24.3.140, 23.211.4.86, 20.50.102.62, 51.103.5.186, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.209.183 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, e15275.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF8173CA-C5F2-4111-899E-6E65886A2D62 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134863
Entropy (8bit):	5.364785929501871
Encrypted:	false
SSDEEP:	1536:xcQIKNEeBxA3gBwlpQ9DQW+z7Y34ZliKWXboOilX5E6LWME9:jEQ9DQW+zLXO1
MD5:	D92E7E0B5C438E8FF3838121DD58AC46
SHA1:	DCDBDBC75F4F054F8602997677A3CF74567DF8CC
SHA-256:	70AC58B36311748AE54F6F60A3E53545E088F4D47BE1CEC55BE438850A9CED3D
SHA-512:	9A17E560A15431FA3BF31D16CD861C43A2D656AB04FCD17F65C7C1C6F072CAD8B8BF2A6B5B5983632E572ACD9F12C49EC788474133778B0E84D60BFC10B7EE3A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-16T10:23:10">.. Build: 16.0.14214.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E11E89.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7592
Entropy (8bit):	5.452334018432516
Encrypted:	false
SSDEEP:	96:znY+f/mcqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwi:bYCVSTxK/LA/FVoL3QtKhn+e3+wi
MD5:	174F7349639B3C21402C2DE53E860A70
SHA1:	D6215A38F72901A6A2832056E783CACD84B3855A
SHA-256:	BD4277F040C3459648B8B3121B63E0B7D3F801BD538EE715447506ACBC0187DB
SHA-512:	C35A4C84082AC42D30F4D5EA644037EFB623EA7F67AA6E48DA7CCFB52E38F8EFD4D3C6775B724110EB580AF524E749E320C5987F2230544925BF2A85CAD9B167
Malicious:	false
Reputation:	low
Preview:	....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d...................$.^...^.'..q....\...$.^.....$.^...^.W..q....$.^..6.u_..q.......qX...Dy:w.B..........H.^...7w....$.....J.d.........^.J^.q.... ^.q.;...B..8......-...t.^..<6w................<..u.Z.v....X.S....X.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1ABB3EA8.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.091127811854214
Encrypted:	false
SSDEEP:	96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
MD5:	EB06F07412A815AED391F20298C1087B
SHA1:	AC0601FFC173F50B56C3AE2265C61B76711FBE01
SHA-256:	5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
SHA-512:	38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2664183B.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\327FBD00.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
Category:	dropped
Size (bytes):	29499
Entropy (8bit):	7.667442162526095
Encrypted:	false
SSDEEP:	384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
MD5:	4FBDDF16124B6C9368537DF70A238C14
SHA1:	45E34D715128C6954F589910E6D0429370D3E01A
SHA-256:	0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
SHA-512:	EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C93D23A.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5E0CC3B7.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\659AE274.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\73C09E83.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8124530118203914
Encrypted:	false
SSDEEP:	3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
MD5:	955A9E08DFD3A0E31C7BCF66F9519FFC
SHA1:	F677467423105ACF39B76CB366F08152527052B3
SHA-256:	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
SHA-512:	39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
Malicious:	false
Preview:	....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\80EEC8F3.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
Category:	dropped
Size (bytes):	29499
Entropy (8bit):	7.667442162526095
Encrypted:	false
SSDEEP:	384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
MD5:	4FBDDF16124B6C9368537DF70A238C14
SHA1:	45E34D715128C6954F589910E6D0429370D3E01A
SHA-256:	0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
SHA-512:	EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\96592B0E.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ACA7CA7F.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B21A94A2.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BCFA22F6.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EACA9901.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EDE45DDD.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F97FDA4C.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FC6BB7E5.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso80C0.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5477
Entropy (8bit):	3.123605833485142
Encrypted:	false
SSDEEP:	24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH
MD5:	C4C38A7D937C652FE5C5A39C668F8D86
SHA1:	BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:	48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:	68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:	false
Preview:	.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\msoBC75.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5477
Entropy (8bit):	3.123605833485142
Encrypted:	false
SSDEEP:	24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH
MD5:	C4C38A7D937C652FE5C5A39C668F8D86
SHA1:	BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:	48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:	68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:	false
Preview:	.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\Desktop\~$Seafood Order and Company Profile.xlsx Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995552020832647
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Seafood Order and Company Profile.xlsx
File size:	1315840
MD5:	4c9867155a69c0e089cbf6e287442798
SHA1:	72fd5acd0ce33714c3aff9e837af3be0db733800
SHA256:	9fcc8435ac8254ae9b1dea93cff53098e94d193ea4edef5b5300e7c8f0328d2c
SHA512:	4855ee30d0d5b56f6fa33ef20cf709b80aae2dfabc7eadfb65e21328aaa3d8634086b7a31bb8cfe2201fec21ccb18f6424e09f8cdd332de1df4655bcfe076f35
SSDEEP:	24576:0qPFc03WtYM1mvUtca7XBUBMfaM0XeUSkiRROa:XChtYvvqRUBqazu/H
File Content Preview:	........................>.......................................................................................................\|.......~...............z......................................................................................................

File Icon


Icon Hash:	74ecd0d2d6d6d0dc

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Seafood Order and Company Profile.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1301128

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1301128
Entropy:	7.9998536578
Base64 Encoded:	True
Data ASCII:	} . . . . . . . . . . . . . . O . . . . . . - . U . E h % f . Y . . . . 0 ) . . . . . i u . . . + , . . . . . . h H . . . . . N \| K e . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E .
Data Raw:	7d da 13 00 00 00 00 00 9b 1e fc ad 9f 90 a7 4f 8a 13 d5 81 0d 87 2d 95 55 a2 45 68 25 66 04 59 86 04 d9 c7 30 29 e4 d6 1a cc a2 69 75 b6 0c d6 2b 2c 1a f3 82 b3 09 c7 68 48 12 0a c1 17 ae 4e 7c 4b 65 b9 8b d5 03 af 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.54585124335
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . e . ` . ` . > . . . . [ . . + ) . . . . . . . J 5 . . _ V 3 . . . . . ) . d . . 3 ^ Y . . . . . r . . . ; ) . 4 . . V . . . 2 . x . 1
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:22:49.889399052 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:49.923496962 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:49.944417000 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:49.988740921 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:50.820585012 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:50.883204937 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:53.926372051 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:53.985371113 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:54.732820988 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:54.796130896 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:55.563942909 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:55.622385025 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:56.535986900 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:56.586673975 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:57.605284929 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:57.655832052 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 16, 2021 12:22:58.529326916 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:22:58.579710960 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:00.114141941 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:00.179079056 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:01.201478004 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:01.257831097 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:02.302635908 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:02.352844954 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:03.433598042 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:03.483731031 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:08.574410915 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:08.624767065 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:09.996073008 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:10.165018082 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:10.547347069 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:10.634543896 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:10.903754950 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:10.957055092 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:11.583466053 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:11.633925915 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:12.629034042 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:12.689945936 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:13.885476112 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:13.945744991 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:14.629256010 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:14.680636883 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:15.326210976 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:15.379795074 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:16.553546906 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:16.604451895 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:18.676876068 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:18.757234097 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:21.703491926 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:21.764782906 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:22.746848106 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:22.810206890 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:25.387501001 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:25.457484961 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:44.944555044 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:45.011893034 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:47.345160007 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:47.412116051 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 16, 2021 12:23:58.454682112 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:23:58.520071983 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 16, 2021 12:24:38.338854074 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:24:38.398761988 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 16, 2021 12:24:42.683063984 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:24:42.750207901 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 16, 2021 12:25:21.268604040 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:25:21.335544109 CEST	53	64910	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 6092 Parent PID: 792

General

Start time:	12:23:07
Start date:	16/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x1a0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Seafood Order and Company Profile.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Seafood Order and Company Profile.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1301128

General

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EXCEL.EXE PID: 6092 Parent PID: 792

General