Windows Analysis Report statistic-1496367785.xls

Overview

General Information

Sample Name: statistic-1496367785.xls
Analysis ID: 441923
MD5: 7fb48e03b899f792be6c3118a46c5c8f
SHA1: 55445d13cd433121c6c2bfb31414b08e31e28a65
SHA256: 1c818433e1ca49729f987b3f060b2133c8375f8164181c4684600a278ee6033f
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Yara detected Xls With Macro 4.0

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: statistic-1496367785.xls Virustotal: Detection: 37% Perma Link
Source: statistic-1496367785.xls ReversingLabs: Detection: 34%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.4:49736 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: psq.com.mx
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 162.241.2.112:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 162.241.2.112:443

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 108.179.232.80 108.179.232.80
Source: Joe Sandbox View IP Address: 162.241.2.112 162.241.2.112
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: psq.com.mx
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.cortana.ai
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.office.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.onedrive.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://augloop.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cdn.entity.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cortana.ai
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cortana.ai/api
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://cr.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://directory.services.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://graph.windows.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://graph.windows.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://login.windows.local
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://management.azure.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://management.azure.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://messaging.office.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://officeapps.live.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://onedrive.live.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://osi.office.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://outlook.office.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://settings.outlook.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://tasks.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0A8CE175-D39D-43AE-8F1B-CA84388C02A0.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.4:49736 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above RunDLL X 12 13 Once You have Enable Editing, plea T
Source: Screenshot number: 8 Screenshot OCR: Enable Editing I, 11 from the yellow bar above RunDLL (Not Responding) t 12 , It 13 Once Yo
Found Excel 4.0 Macro with suspicious formulas
Source: statistic-1496367785.xls Initial sample: CALL
Source: statistic-1496367785.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: statistic-1496367785.xls Initial sample: Sheet size: 8121
Source: classification engine Classification label: mal80.expl.evad.winXLS@5/7@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{698BFA13-D49C-4C62-9BE6-E187F6452013} - OProcSessId.dat Jump to behavior
Source: statistic-1496367785.xls OLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: statistic-1496367785.xls Virustotal: Detection: 37%
Source: statistic-1496367785.xls ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: statistic-1496367785.xls Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: rundll32.exe, 0000000F.00000002.920391861.0000000003F10000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 0000000F.00000002.920391861.0000000003F10000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 0000000F.00000002.920391861.0000000003F10000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 0000000F.00000002.920391861.0000000003F10000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: statistic-1496367785.xls, type: SAMPLE
Yara detected Xls With Macro 4.0
Source: Yara match File source: statistic-1496367785.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441923 Sample: statistic-1496367785.xls Startdate: 29/06/2021 Architecture: WINDOWS Score: 80 18 Multi AV Scanner detection for submitted file 2->18 20 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->20 22 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->22 24 4 other signatures 2->24 6 EXCEL.EXE 38 47 2->6         started        process3 dnsIp4 14 academy.haleemcampus.com 108.179.232.80, 443, 49736, 49738 UNIFIEDLAYER-AS-1US United States 6->14 16 psq.com.mx 162.241.2.112, 443, 49734 OIS1US United States 6->16 26 Document exploit detected (UrlDownloadToFile) 6->26 10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.179.232.80
 academy.haleemcampus.com United States
46606 UNIFIEDLAYER-AS-1US false
162.241.2.112
 psq.com.mx United States
26337 OIS1US false

Contacted Domains

Name IP Active
academy.haleemcampus.com 108.179.232.80 true
psq.com.mx 162.241.2.112 true