Loading ...

Play interactive tourEdit tour

Windows Analysis Report oBfsC4t10n2.xls

Overview

General Information

Sample Name:oBfsC4t10n2.xls
Analysis ID:461925
MD5:0c09fbdf98f0a6144a42fde00fe21504
SHA1:bb4a594ecf90ed6b9e408c404b08620500fb4c02
SHA256:1f156f86d45e28dac74015051546305497adb86b4e46bb7d9a84ccf5e25a12f4
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7104 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
oBfsC4t10n2.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0xcbcaa:$s1: Excel
  • 0xccd0a:$s1: Excel
  • 0x321f:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
oBfsC4t10n2.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: oBfsC4t10n2.xlsAvira: detected
    Multi AV Scanner detection for submitted fileShow sources
    Source: oBfsC4t10n2.xlsVirustotal: Detection: 63%Perma Link
    Source: oBfsC4t10n2.xlsMetadefender: Detection: 44%Perma Link
    Source: oBfsC4t10n2.xlsReversingLabs: Detection: 68%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: oBfsC4t10n2.xlsString found in binary or memory: http://0b.htb/s.dll
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.cortana.ai
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.office.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.onedrive.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://augloop.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cdn.entity.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cortana.ai
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cortana.ai/api
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://cr.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://directory.services.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://graph.windows.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://graph.windows.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://login.windows.local
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://management.azure.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://management.azure.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://messaging.office.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://officeapps.live.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://onedrive.live.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://osi.office.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://outlook.office.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://roaming.edog.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://settings.outlook.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://tasks.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 4783B964-6B07-40F0-8FA8-C56645744E15.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: oBfsC4t10n2.xlsOLE indicator, VBA macros: true
    Source: oBfsC4t10n2.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: classification engineClassification label: mal60.expl.winXLS@1/1@0/0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C174B92E-FE21-4799-A496-3E4F9CF7584D} - OProcSessId.datJump to behavior
    Source: oBfsC4t10n2.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: oBfsC4t10n2.xlsVirustotal: Detection: 63%
    Source: oBfsC4t10n2.xlsMetadefender: Detection: 44%
    Source: oBfsC4t10n2.xlsReversingLabs: Detection: 68%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: oBfsC4t10n2.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    oBfsC4t10n2.xls63%VirustotalBrowse
    oBfsC4t10n2.xls47%MetadefenderBrowse
    oBfsC4t10n2.xls69%ReversingLabsDocument-Excel.Downloader.EncDoc
    oBfsC4t10n2.xls100%AviraXF/Agent.B

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://roaming.edog.0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
      high
      https://login.microsoftonline.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
        high
        https://shell.suite.office.com:14434783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
            high
            https://autodiscover-s.outlook.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
              high
              https://roaming.edog.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                high
                https://cdn.entity.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                      high
                      https://powerlift.acompli.net4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v14783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                        high
                        https://cortana.ai4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                  high
                                  https://api.aadrm.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                        high
                                        https://cr.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                            high
                                            https://graph.ppe.windows.net4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                            high
                                                            https://graph.windows.net4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                high
                                                                                                https://api.office.net4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                    • 0%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                          high
                                                                                                          https://substrate.office.com/search/api/v2/init4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v24783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai4783B964-6B07-40F0-8FA8-C56645744E15.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                  Analysis ID:461925
                                                                                                                                                  Start date:09.08.2021
                                                                                                                                                  Start time:18:50:47
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 3m 59s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:oBfsC4t10n2.xls
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:13
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal60.expl.winXLS@1/1@0/0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xls
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 168.61.161.212, 52.147.198.201, 52.109.88.177, 52.109.8.25, 52.109.12.23, 20.50.102.62, 104.43.193.48, 104.43.139.144, 20.54.110.249, 40.112.88.60, 20.82.209.183, 23.10.249.26, 23.10.249.43, 20.82.210.154
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4783B964-6B07-40F0-8FA8-C56645744E15
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):135913
                                                                                                                                                  Entropy (8bit):5.362413633185819
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:wcQIKNveBTA3gBwlnQ9DQW+z2Y34ZliKWXboOidXqE6LWME9:XyQ9DQW+zaX31
                                                                                                                                                  MD5:DA46FDC2BBF2A37034D04E414C1EF317
                                                                                                                                                  SHA1:CC361A20144283E5EC8275DB9C5C4AC6890E88F2
                                                                                                                                                  SHA-256:1FCD835C17DD20B3187C6CBA4CDA9717F7D270B00160C05FBCA92C7AF86C0B27
                                                                                                                                                  SHA-512:D3F7D44E5DE9155D9FEAE2ED6739B1AB24FA5FF19BA3822A933F3B12976C2CC2118A31651CD3E3B76C4012B57025D0B732F94D286F67055A201FFCCA0D01DBAE
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-08-09T16:51:38">.. Build: 16.0.14404.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: 0xdf, Last Saved By: 0xdf, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Mar 23 14:19:10 2020, Last Saved Time/Date: Sat Apr 25 19:43:56 2020, Security: 0
                                                                                                                                                  Entropy (8bit):5.658051669585681
                                                                                                                                                  TrID:
                                                                                                                                                  • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                  File name:oBfsC4t10n2.xls
                                                                                                                                                  File size:849920
                                                                                                                                                  MD5:0c09fbdf98f0a6144a42fde00fe21504
                                                                                                                                                  SHA1:bb4a594ecf90ed6b9e408c404b08620500fb4c02
                                                                                                                                                  SHA256:1f156f86d45e28dac74015051546305497adb86b4e46bb7d9a84ccf5e25a12f4
                                                                                                                                                  SHA512:e07776cc23b1a9629e760173e7cbf47bfc56f87c1f74f51ad59299dad3e01387ed355bed4cdcfcc269cb55ad7357896b3e1d57a7cdea0c6d84ecec09ca79e8d4
                                                                                                                                                  SSDEEP:12288:53wXyuDwsryfLlYUFZWyehWg6rj4P8pJNjavyP:5Axr2YUWyXvzD
                                                                                                                                                  File Content Preview:........................>.......................z...........................m...n...o...p...q...r...s...t...u...v...w...x...y..................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OLE
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "oBfsC4t10n2.xls"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:True
                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                  Encrypted Document:False
                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                  Summary

                                                                                                                                                  Code Page:1252
                                                                                                                                                  Author:0xdf
                                                                                                                                                  Last Saved By:0xdf
                                                                                                                                                  Create Time:2020-03-23 14:19:10
                                                                                                                                                  Last Saved Time:2020-04-25 18:43:56
                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                  Security:0

                                                                                                                                                  Document Summary

                                                                                                                                                  Document Code Page:1252
                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                  Company:
                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                  Shared Document:False
                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                  Application Version:1048576

                                                                                                                                                  Streams

                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:4096
                                                                                                                                                  Entropy:0.333599520797
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i n v o i c e . . . . . c 1 z B 0 v a s N o . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . .
                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 af 00 00 00
                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:4096
                                                                                                                                                  Entropy:0.266633510482
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 x d f . . . . . . . . . . . . 0 x d f . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . C . . . . . . @ . . . . > . y 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 833805
                                                                                                                                                  General
                                                                                                                                                  Stream Path:Workbook
                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                  Stream Size:833805
                                                                                                                                                  Entropy:5.70721264282
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 0 x d f B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . E . . 8 . . . . . . . X . @ . .
                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 30 78 64 66 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Aug 9, 2021 18:51:22.440769911 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:22.463947058 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:23.232280016 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:23.252974987 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:24.263303995 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:24.283775091 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:38.242172003 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:38.377046108 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:38.652730942 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:38.673881054 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:39.657444000 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:39.679589987 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:40.656543970 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:40.677270889 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:42.661205053 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:42.685195923 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:46.669063091 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:46.690498114 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:53.424686909 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:53.448506117 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:57.294713020 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:57.318012953 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:57.975076914 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:57.996007919 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:58.827250957 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:58.848716974 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:51:59.475537062 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:51:59.498862028 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:00.136468887 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:00.157275915 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:01.542156935 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:01.566374063 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:02.402885914 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:02.426156044 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:03.286370039 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:03.308976889 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:04.135551929 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:04.156943083 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:07.898490906 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:07.920151949 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:08.370929956 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:08.447995901 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:08.870795012 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:08.905832052 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:08.925537109 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:08.948431969 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:09.172884941 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:09.195796967 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:09.279949903 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:09.300837040 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:09.791794062 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:09.813956022 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:10.227412939 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:10.249910116 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:10.684124947 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:10.705190897 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:11.103514910 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:11.123950005 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:12.106479883 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:12.127252102 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:12.425992012 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:12.448159933 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:12.769496918 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:12.790676117 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:13.260760069 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:13.281474113 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:13.598042965 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:13.621413946 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:14.096615076 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:14.118246078 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:18.047159910 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:18.069015026 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:27.780972004 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:27.815988064 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:28.092806101 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:28.138016939 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:52:30.307389975 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:52:30.338526011 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:53:04.871006966 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:53:04.906596899 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                  Aug 9, 2021 18:53:08.258712053 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                  Aug 9, 2021 18:53:08.280878067 CEST53559168.8.8.8192.168.2.4

                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Start time:18:51:36
                                                                                                                                                  Start date:09/08/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0x890000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >