Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://containerlafamilia.cl/possimus-tenetur/dolor.zip

Overview

General Information

Sample URL:https://containerlafamilia.cl/possimus-tenetur/dolor.zip
Analysis ID:493572
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 3592 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://containerlafamilia.cl/possimus-tenetur/dolor.zip' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 668 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,17424876508857128548,15970264656069861363,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1768 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 7096 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,17424876508857128548,15970264656069861363,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=6220 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 6440 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\dolor.zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
      • 7za.exe (PID: 6524 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi' 'C:\Users\user\Downloads\dolor.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6332 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi\recital-395579281.xls' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EXCEL.EXE (PID: 7052 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)
          • regsvr32.exe (PID: 2904 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 6160 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 5548 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi\recital-395579281.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3a8aa:$s1: Excel
  • 0x3b94a:$s1: Excel
  • 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi\recital-395579281.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, ProcessId: 2904

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: https://mercanets.com/9DPZqAfZdq5z/key.xmlVirustotal: Detection: 6%Perma Link
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: unknownHTTPS traffic detected: 199.79.63.251:443 -> 192.168.2.7:49767 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 162.251.80.22:443 -> 192.168.2.7:49772 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 162.222.225.250:443 -> 192.168.2.7:49773 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0272099Bh5_2_027202A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0272099Ah5_2_027202A8
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, manifest.json0.0.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.aadrm.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.cortana.ai
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.office.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.onedrive.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, manifest.json0.0.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://augloop.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://augloop.office.com/v2
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://augloop.office.com;https://augloop-gcc.office.com;https://augloop.gov.online.office365.us;ht
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cdn.entity.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://clients.config.office.net/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: manifest.json0.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://config.edge.skype.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: dolor.zip_Zone.Identifier.4.dr, 000003.log4.0.dr, History.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/charts-2393758632.zip
    Source: History.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.zip
    Source: History.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.zip/
    Source: History Provider Cache.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.zip2
    Source: History Provider Cache.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.zip2:
    Source: History.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.ziphttps://containerlafamilia.cl/possimus-tenet
    Source: Current Session.0.drString found in binary or memory: https://containerlafamilia.cl/possimus-tenetur/dolor.zipr
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cortana.ai
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cortana.ai/api
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://cr.office.com
    Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dev.cortana.ai
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://devnull.onenote.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://directory.services.
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, 3f31e1c5-3493-49a3-9d32-0d53b9c2c200.tmp.1.dr, a639891d-24e6-4f78-b131-3058505da248.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://dns.google
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://graph.windows.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://graph.windows.net/
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://lifecycle.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://login.windows.local
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://management.azure.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://management.azure.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://messaging.office.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ncus.contentsync.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://officeapps.live.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://onedrive.live.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://osi.office.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office365.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office365.com/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://powerlift-user.acompli.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://powerlift.acompli.net
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.drString found in binary or memory: https://r2---sn-1gi7znes.gvt1.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://roaming.edog.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://settings.outlook.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://staging.cortana.ai
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://tasks.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://webshell.suite.office.com
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://wus2.contentsync.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, manifest.json0.0.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: 748e6b2e-d68c-4eaa-a640-c6bf98842368.tmp.1.dr, d55352e5-ae23-41eb-b461-551b82ff11d3.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: 00F2487D-CDF1-407A-BC77-208F9176BCD5.10.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: unknownDNS traffic detected: queries for: containerlafamilia.cl
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /possimus-tenetur/dolor.zip HTTP/1.1Host: containerlafamilia.clConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /possimus-tenetur/charts-2393758632.zip HTTP/1.1Host: containerlafamilia.clConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://containerlafamilia.cl/possimus-tenetur/dolor.zipAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=38d28ada78121a353402c16669d31288
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /Cdpmoyhr/key.xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gillcart.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /MeOlE9Xxd/key.xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: geit.inConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /9DPZqAfZdq5z/key.xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mercanets.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 199.79.63.251:443 -> 192.168.2.7:49767 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 162.251.80.22:443 -> 192.168.2.7:49772 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 162.222.225.250:443 -> 192.168.2.7:49773 version: TLS 1.2

    System Summary:

    barindex
    Source: C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi\recital-395579281.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_027202A85_2_027202A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_027202985_2_02720298
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://containerlafamilia.cl/possimus-tenetur/dolor.zip'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,17424876508857128548,15970264656069861363,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1768 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,17424876508857128548,15970264656069861363,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=6220 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\dolor.zip'
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi' 'C:\Users\user\Downloads\dolor.zip'
    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\xpbfofnc.5bi\recital-395579281.xls'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program