Loading ...

Play interactive tourEdit tour

Windows Analysis Report http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php

Overview

General Information

Sample URL:http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php
Analysis ID:505859
Infos:

Most interesting Screenshot:

Detection

Hancitor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Hancitor
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious Splwow64 Without Params
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains functionality to inject threads in other processes
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Starts Microsoft Word (often done to prevent that the user detects that something wrong)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6768 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 7040 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1904 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 5528 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4924 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • WINWORD.EXE (PID: 7048 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o '' MD5: 0B9AB9B9C4DE429473D6450D4297A123)
      • splwow64.exe (PID: 6660 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
      • rundll32.exe (PID: 6212 cmdline: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.387311451.00000000013B0000.00000040.00000001.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
    0000000B.00000002.579491248.0000000065223000.00000002.00020000.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
      Process Memory Space: rundll32.exe PID: 6212JoeSecurity_HancitorYara detected HancitorJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.3.rundll32.exe.13b3d4c.0.raw.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
          11.2.rundll32.exe.65220000.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Splwow64 Without ParamsShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\splwow64.exe 12288, CommandLine: C:\Windows\splwow64.exe 12288, CommandLine|base64offset|contains: m, Image: C:\Windows\splwow64.exe, NewProcessName: C:\Windows\splwow64.exe, OriginalFileName: C:\Windows\splwow64.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o '', ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 7048, ProcessCommandLine: C:\Windows\splwow64.exe 12288, ProcessId: 6660
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, CommandLine: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o '', ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 7048, ProcessCommandLine: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, ProcessId: 6212

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://newnucapi.com/8/forum.phpAvira URL Cloud: Label: malware
            Source: 11.2.rundll32.exe.65220000.0.unpackAvira: Label: TR/Hijacker.Gen

            Location Tracking:

            barindex
            Yara detected HancitorShow sources
            Source: Yara matchFile source: 11.3.rundll32.exe.13b3d4c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.rundll32.exe.65220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000003.387311451.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.579491248.0000000065223000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6212, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65222131 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,11_2_65222131
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\6768_1037701863\LICENSE.txtJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
            Source: Binary string: c:\clothe\923\Sight\Captain\Sell\cool.pdb source: rundll32.exe, 0000000B.00000002.579536725.0000000065261000.00000002.00020000.sdmp, gelfor.dap.6.dr

            Software Vulnerabilities:

            barindex
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2034127 ET TROJAN Tordal/Hancitor/Chanitor Checkin 192.168.2.3:49800 -> 95.47.161.27:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: newnucapi.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 95.47.161.27 80Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: api.ipify.org
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 54.243.41.12 80Jump to behavior
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:41 GMTServer: ApacheX-Powered-By: PHP/7.3.30Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingContent-Encoding: gzipContent-Length: 440Keep-Alive: timeout=5, max=100Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 85 53 cb 4e c3 30 10 bc f7 2b 96 08 11 bb 2d 69 e1 c0 c5 0d 5c 10 88 03 e2 40 4f 20 40 51 b2 6d 23 1c 3b 8a 1d 40 3c fe 9d 75 ea 3c 5a 21 91 43 2c 7b 67 67 67 c6 c9 c2 a4 55 5e da f3 d1 08 e8 91 68 21 83 18 8e 15 be c3 65 62 91 f1 68 8d 76 99 17 f8 a9 15 de ad 56 06 2d e3 a2 03 2b 02 df 28 2b 23 07 76 b0 2b 5d 15 09 41 a2 0a 8d 96 6f 98 dd 95 36 d7 ca d0 89 a5 f2 03 b1 88 ed ac 55 ad 52 57 02 a2 7c 49 b5 7e cd 11 98 4a 0a 9c c2 5b 22 6b 5a 8a 5c d5 16 0d 87 af a6 01 c0 2f 5e 27 4d a4 e9 bd 52 d1 95 5d 29 32 5b dd ac d9 78 13 8c c3 04 98 e7 85 31 9c cd e9 75 32 9f cf f9 a0 7b 67 0a 7e 94 39 59 a1 41 41 f0 07 24 5f 75 74 bc 3b 74 cf a0 4f b4 9b 38 98 34 62 ac be be 5d de db 2a 57 eb a1 ea 1d e2 4c a7 75 81 ca 46 3e 19 32 4a d1 90 fa 20 0e e8 8d 26 4d 4a ca ab 49 ca 99 f2 23 26 81 28 13 bb 89 67 34 d5 b3 fd ec c5 bd 1e c4 bd 5d 5f 1c 75 9f b2 b3 4d 54 b5 b4 4e fe 9e 90 88 6e 37 dd 00 0b d9 f3 b7 e0 70 11 d2 ec 01 0b ed c2 98 3d 3e 8b a7 31 67 e2 fb 90 87 ad c1 51 1f 98 27 ef 03 ab d0 d6 95 02 56 ab d6 97 87 3c 9e 3e f5 37 83 d2 e0 7e 8b aa a5 14 43 9b 8e ff a0 b7 c8 c2 2c e4 70 74 04 3b 67 2a e4 bd 5d 18 7c 80 0e 3e 85 6c 0a a7 83 7b 31 3b 9d 53 50 db 72 57 9f cd da 8c 20 02 a9 d3 a4 89 39 22 89 52 27 59 7b c3 5e df 62 e6 7f b8 85 5f ff e9 ed f0 bf 8b e8 87 25 a9 03 00 00 Data Ascii: SN0+-i\@O @Qm#;@<u<Z!C,{gggU^h!ebhvV-+(+#v+]Ao6URW|I~J["kZ\/^'MR])2[x1u2{g~9YAA$_ut;tO84b]*WLuF>2J &MJI#&(g4]_uMTNn7p=>1gQ'V<>7~C,pt;g*]|>l{1;SPrW 9"R'Y{^b_%
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:41 GMTServer: ApacheX-Powered-By: PHP/7.3.30Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 548Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 6d 53 5d 4f db 30 14 7d ef af b8 8b b6 c6 a1 25 49 33 51 c1 d2 80 10 55 11 d2 18 93 c6 d3 10 20 2b b9 6d 2d 1c 3b 4b 9c b2 0f f6 df 77 dd a6 4d 5a 2d 0f b6 7c 3f ce 3d e7 38 9e 54 69 29 0a 73 de eb 01 7d 12 0d 64 90 c0 b1 c2 57 98 72 83 cc f3 17 68 ee 45 8e bf b5 c2 bb f9 bc 42 c3 bc 78 57 ac a8 f8 46 19 e9 db 62 5b 36 d3 65 ce a9 c4 2f b1 d2 72 85 d9 5d 61 84 56 15 45 0c a5 bf 13 4a bc 99 35 af 55 6a 53 40 90 cf a9 d6 2f 02 81 29 9e e3 10 56 5c d6 b4 e5 42 d5 06 2b 0f fe ac 1b 00 9a ad e1 49 13 69 7a cb 34 de a5 6d ca af 36 bc d9 fa d0 88 60 1e 0c 80 35 b8 70 04 e3 90 96 51 18 86 5e a7 7b 6f 0a fe 2c 04 49 a1 41 8e f3 9f 12 31 df c1 79 bb a0 fd 3a 7d f1 f6 90 38 83 35 19 a3 af 6f ef bf 99 52 a8 45 97 f5 1e 70 a6 d3 3a 47 65 fc c6 19 12 4a d6 10 7b 27 71 68 c5 2a e5 05 f9 b5 76 ca 8a 6a 46 0c 9c b8 e0 66 99 04 34 b5 41 fb 7b 60 f7 a2 63 f7 66 7f b6 d0 ad cb 56 36 41 d5 d2 58 fa 07 44 7c ba dd 74 09 cc 65 4f 6f b1 07 17 2e cd ee a0 d0 c9 4d d8 c3 53 fc 78 e4 b1 f8 ed bd e7 6e 05 f6 5a c3 1a f0 d6 b0 12 4d 5d 2a 60 b5 da ea 6a 4a 1e a2 c7 f6 66 50 56 78 d8 a2 6a 29 e3 ae 4c 8b ff ae 95 c8 dc cc f5 a0 df 87 bd 98 72 bd 56 2e 74 7e 40 5b 3e 84 6c 08 51 e7 5e aa bd ce 21 a8 4d 7a 97 0f 82 ad 47 e0 83 d4 29 5f db ec 13 45 a9 79 b6 bd e1 86 df 24 68 1e dc 24 47 c3 61 69 4c 71 8c 3f 6a b1 4a dc 12 e7 24 7b e9 92 9f ca 10 5a e2 86 71 5d ca c4 d6 54 9f 82 80 9e 4e 56 8a 15 fa d2 2e a9 ce 69 ee ab b2 33 2e 52 91 25 e1 74 76 72 36 1b 9d 5d 5d 4e 3f 9e 46 d1 ac 4f 60 14 3e 88 7e 88 46 a3 d1 49 9f d7 66 f9 82 bf 92 cb 2f b3 fc f4 eb f8 33 bf be bd 19 57 ba 8f 79 12 b9 e7 bd 7f 72 fe 6c 4f 16 04 00 00 Data Ascii: mS]O0}%I3QU +m-;KwMZ-|?=8Ti)s}dWrhEBxWFb[6e/r]aVEJ5UjS@/)V\B+Iiz4m6`5pQ^{o,IA1y:}85oREp:GeJ{'qh*vjFf4A{`cfV6AXD|teOo.MSxnZM]*`jJfPVxj)LrV.t~@[>lQ^!MzG)_Ey$h$GaiLq?jJ${Zq]TNV.i3.R%tvr6]]N?FO`>~FIf/3WyrlO
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:42 GMTServer: ApacheX-Powered-By: PHP/7.3.30Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 2663Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1a 6d 6f db b8 f9 73 f2 2b 18 35 98 6d 2c 92 ec eb ba 6b 1b db 43 9a 7a bd 0c 69 1b d4 c5 0d 87 20 38 d0 12 2d b1 a1 44 1d 49 d9 09 ba fc f7 3d a4 24 db 92 25 db c9 92 a0 07 cc c8 8b 45 3e ef 6f 7c 28 b2 7f f0 fe f3 e9 d7 df 2e 46 28 54 11 1b ee f7 0f 6c fb 92 4e d1 d9 08 bd be 1a a2 be 1e 45 0c c7 c1 c0 22 b1 85 3c 86 a5 1c 58 94 bc b6 60 f2 e0 92 c4 3e 9d 5e d9 f6 12 f1 e0 6c 74 35 d4 0f 30 54 46 ce 60 4a 48 fb 00 43 b0 3f dc df eb 47 44 61 e4 85 58 48 a2 06 56 aa a6 f6 6b 0b b9 7a 46 51 c5 c8 f0 7d ca 42 fc 01 e6 d1 38 e4 73 c1 79 84 fe 83 ce 79 40 63 74 81 03 d2 77 33 b0 05 25 1e 2b 12 03 a5 39 f5 55 38 f0 c9 8c 7a c4 36 0f 47 88 c6 54 51 cc 6c e9 61 46 06 3d a7 7b 84 22 7c 43 a3 34 5a 1d 4a 25 11 e6 19 4f 60 28 e6 16 8a 71 44 06 d6 8c 92 79 c2 85 ca c5 2b b3 3b 89 25 16 14 fd 1b 2b 2f 44 bf 70 a0 51 a0 f9 44 7a 82 26 8a f2 f8 9e 98 38 55 21 17 19 12 a0 81 11 d1 60 ed 83 de 8d 3e 9c 7d 42 ef 4e c6 23 74 3a 1e a3 f1 d7 df ce 47 75 70 da ee 7b 7d 46 e3 6b 14 0a 32 1d 58 a1 52 c9 5b d7 9d 82 20 d2 09 38 0f 18 c1 09 95 8e c7 23 d7 93 f2 1f 53 1c 51 76 3b f8 9c 90 f8 af 63 1c cb b7 2f bb dd a3 bf c1 ef df e1 f7 e7 6e d7 42 82 b0 81 25 d5 2d 23 32 24 44 59 15 06 10 32 44 49 37 61 29 78 4b ba df fe 48 89 b8 b5 53 ea aa 90 44 44 ba 13 2c 89 1b 81 53 a6 94 f8 cb 69 07 86 1c 10 60 9d 7e 66 be 66 0e 13 ce 95 54 02 27 5a fe e5 d3 c3 09 6a db d8 78 4e 24 8f 88 a1 b9 3a 70 7f b2 9a 02 8e 69 84 d5 03 91 0d d8 ff 80 6a 0b 22 13 1e 4b 3a 7b 20 15 e3 39 d7 27 53 9c 32 d5 80 4e fd 81 65 e0 72 4a 0d 71 3b fa f4 7e d7 a8 dd 29 f8 ff 35 6e 8e fa 2c 03 91 14 de 9a 8b 13 ec 11 f3 c7 18 e4 9b b4 86 7d 37 03 df 45 f6 66 a6 7d 37 ab 70 fd 09 f7 6f 8b fa a9 f9 d8 8a 27 68 12 d8 f3 90 2a 62 15 4c 26 44 57 b4 17 09 94 34 9b 71 ec 13 91 8b ee d3 99 b1 e8 ca cc a2 1c 4f e1 09 8a 1a 88 2c 13 1c 17 a3 32 a1 71 0c 50 5a 11 18 86 7f 40 a3 e0 03 35 b8 86 4b 8d 10 ba 3e 61 1a d7 cb b1 98 2c 89 a2 95 41 f0 59 a1 c5 4c a1 d6 14 50 fe 31 84 72 a4 6c d6 fc 85 12 ad 42 3b 26 73 69 4f 09 f1 ad 25 42 85 e2 02 a4 44 b5 4a b9 89 50 2d 1c 24 64 40 6a 00 0d 30 8d 82 52 dc c0 b3 9b 49 3c 09 5c 99 2f 49 ce b7 24 b0 90 8f 15 b6 b5 8d b2 79 8f cf 60 21 c9 88 23 cc a0 d4 9b 84 58 e3 90 b9 67 db 50 e1 bc 0d fa 2f 8d 24 68 10 2a 3b 5f 62 36 1a aa 04 59 67 ac 8a 2f 6d 1d d5 79 50 6c 32 ec 2a 70 93 69 57 c0 27 02 c7 be 85 ea 01 0d b0 07 f2 11 d1 0c d0 ec 2a 6e 4f 69 8c 99 93 c4 e0 23 53 a8 60 ed 23 5a ef b7 6f ba c9 cd b1 e5 42 8a 6c 22 5f e3 8e 4d c3 85 a7 b6 db ab 6a db 26 87 55 ad 55 82 6e b2 ee 94 8b 08 41 ab 11 72 88 c8 8b cf e3 af 8b 5c 8d b0 30 f1 cb 95 e2 91 0d eb 38 f6 74 77 02 5e c0 de 75 16 dc 4e 12 26 0d 84 ab c2 68 3e 76 20 78 9a a0 c8 9e d8 bd 57 1b f0 0c 2e 8d 93 54 21 75 9b 80 1f 48 84
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: unknownTCP traffic detected without corresponding DNS query: 95.100.218.79
            Source: Ruleset Data.2.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
            Source: Ruleset Data.2.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
            Source: Filtering Rules.2.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
            Source: angular.js.2.drString found in binary or memory: http://angularjs.org
            Source: rundll32.exeString found in binary or memory: http://api.ipify.org
            Source: rundll32.exe, 0000000B.00000003.387311451.00000000013B0000.00000040.00000001.sdmp, rundll32.exe, 0000000B.00000002.579491248.0000000065223000.00000002.00020000.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
            Source: Current Session.2.drString found in binary or memory: http://dulhagharnh.com
            Source: data_1.4.drString found in binary or memory: http://dulhagharnh.com/favicon.ico
            Source: History Provider Cache.2.dr, Current Session.2.drString found in binary or memory: http://dulhagharnh.com/tumor.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A
            Source: angular.js.2.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
            Source: data_1.4.dr, History.2.dr, Current Session.2.drString found in binary or memory: http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php
            Source: History.2.drString found in binary or memory: http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php/-V
            Source: History Provider Cache.2.drString found in binary or memory: http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php2
            Source: History Provider Cache.2.drString found in binary or memory: http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php2:
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: mirroring_hangouts.js.2.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: mirroring_hangouts.js.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: mirroring_hangouts.js.2.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
            Source: mirroring_hangouts.js.2.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.dr, manifest.json1.2.drString found in binary or memory: https://accounts.google.com
            Source: craw_window.js.2.drString found in binary or memory: https://accounts.google.com/MergeSession
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.aadrm.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.aadrm.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.addins.store.office.com/app/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.cortana.ai
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.diagnostics.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.office.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.onedrive.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.dr, manifest.json1.2.drString found in binary or memory: https://apis.google.com
            Source: mirroring_common.js.2.drString found in binary or memory: https://apis.google.com/js/client.js
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://augloop.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://augloop.office.com/v2
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://autodiscover-s.outlook.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: mirroring_common.js.2.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cdn.entity.
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://clients.config.office.net/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://clients2.google.com
            Source: mirroring_hangouts.js.2.dr, mirroring_cast_streaming.js.2.drString found in binary or memory: https://clients2.google.com/cr/report
            Source: manifest.json0.2.drString found in binary or memory: https://clients2.google.com/service/update2/crx
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://clients2.googleusercontent.com
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://clients6.google.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://config.edge.skype.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: manifest.json1.2.drString found in binary or memory: https://content.googleapis.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cortana.ai
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cortana.ai/api
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://cr.office.com
            Source: common.js.2.dr, mirroring_cast_streaming.js.2.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
            Source: LICENSE.txt.2.drString found in binary or memory: https://creativecommons.org/.
            Source: LICENSE.txt.2.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dev.cortana.ai
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://devnull.onenote.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://directory.services.
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 35f4f794-0de9-46b8-87d5-ac464ff3db0e.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.dr, 1ef5b3c7-af35-4182-8a88-fff8864f8414.tmp.4.drString found in binary or memory: https://dns.google
            Source: mirroring_common.js.2.drString found in binary or memory: https://docs.google.com
            Source: LICENSE.txt.2.drString found in binary or memory: https://easylist.to/)
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: manifest.json1.2.drString found in binary or memory: https://feedback.googleusercontent.com
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.drString found in binary or memory: https://fonts.googleapis.com
            Source: manifest.json1.2.drString found in binary or memory: https://fonts.googleapis.com;
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://fonts.gstatic.com
            Source: manifest.json1.2.drString found in binary or memory: https://fonts.gstatic.com;
            Source: material_css_min.css.2.drString found in binary or memory: https://github.com/angular/material
            Source: LICENSE.txt.2.drString found in binary or memory: https://github.com/easylist)
            Source: craw_window.js.2.dr, craw_background.js.2.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://graph.ppe.windows.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://graph.windows.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://graph.windows.net/
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://hangouts.clients6.google.com
            Source: manifest.json1.2.drString found in binary or memory: https://hangouts.google.com/
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://lifecycle.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://login.microsoftonline.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://login.windows.local
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://management.azure.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://management.azure.com/
            Source: mirroring_common.js.2.drString found in binary or memory: https://meet.google.com
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://meetings.clients6.google.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://messaging.office.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ncus.contentsync.
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ncus.pagecontentsync.
            Source: mirroring_common.js.2.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://officeapps.live.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://ogs.google.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://onedrive.live.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: History.2.dr, 000003.log2.2.drString found in binary or memory: https://onedrive.live.com/download?cid=0DF59F19CAD3822F&resid=DF59F19CAD3822F%21115&authkey=ANFm8P6L
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://osi.office.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office365.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office365.com/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://pages.store.office.com/review/query
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: craw_window.js.2.dr, manifest.json0.2.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://play.google.com
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://powerlift.acompli.net
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://r4---sn-5hne6nzs.gvt1.com
            Source: data_3.4.drString found in binary or memory: https://r4---sn-5hne6nzs.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=102.1
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://redirector.gvt1.com
            Source: data_1.4.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://roaming.edog.
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: craw_window.js.2.dr, manifest.json0.2.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://settings.outlook.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://ssl.gstatic.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://staging.cortana.ai
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
            Source: messages.json74.2.dr, feedback.html.2.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
            Source: messages.json74.2.dr, feedback.html.2.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://tasks.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 1019_4033561623981.doc_Zone.Identifier.5.dr, data_1.4.dr, History.2.dr, 000003.log2.2.drString found in binary or memory: https://vhoonq.dm.files.1drv.com/y4mGxUOeyIuz0TBX9ilgpcazrZs4SVFQpiS72P9oV636IVZWEmsOs8lpQ3PrvmPuRfZ
            Source: data_3.4.drString found in binary or memory: https://vhoonq.dm.files.1drv.com/y4mW9nsQCjazfW1n9jUI5hZB4dxYdZ_b1X2oJH1M3KvEbip7Ar3xRfjGSLCDI5QWcB3
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://webshell.suite.office.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://wus2.contentsync.
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://wus2.pagecontentsync.
            Source: craw_window.js.2.dr, craw_background.js.2.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.dr, manifest.json1.2.drString found in binary or memory: https://www.google.com
            Source: manifest.json0.2.drString found in binary or memory: https://www.google.com/
            Source: craw_window.js.2.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
            Source: craw_window.js.2.drString found in binary or memory: https://www.google.com/images/cleardot.gif
            Source: craw_window.js.2.drString found in binary or memory: https://www.google.com/images/dot2.gif
            Source: craw_window.js.2.drString found in binary or memory: https://www.google.com/images/x2.gif
            Source: craw_background.js.2.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
            Source: mirroring_hangouts.js.2.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
            Source: feedback_script.js.2.drString found in binary or memory: https://www.google.com/tools/feedback
            Source: manifest.json1.2.drString found in binary or memory: https://www.google.com;
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.dr, craw_window.js.2.dr, craw_background.js.2.drString found in binary or memory: https://www.googleapis.com
            Source: manifest.json0.2.drString found in binary or memory: https://www.googleapis.com/
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
            Source: manifest.json0.2.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
            Source: manifest.json0.2.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/meetings
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
            Source: manifest.json0.2.drString found in binary or memory: https://www.googleapis.com/auth/sierra
            Source: manifest.json0.2.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
            Source: manifest.json1.2.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
            Source: mirroring_common.js.2.drString found in binary or memory: https://www.googleapis.com/calendar/v3
            Source: mirroring_common.js.2.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
            Source: 3c9edc17-3071-41d0-b851-02b4a7eaadd9.tmp.4.dr, 0dbed7d5-ab0c-4975-868a-aae216d7c628.tmp.4.drString found in binary or memory: https://www.gstatic.com
            Source: common.js.2.drString found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
            Source: manifest.json1.2.drString found in binary or memory: https://www.gstatic.com;
            Source: B77735CF-E68F-4A9B-AA83-AFA4F56B127E.6.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: unknownDNS traffic detected: queries for: accounts.google.com
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65221E3B lstrlenA,lstrlenA,lstrlenA,InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,11_2_65221E3B
            Source: global trafficHTTP traffic detected: GET /image/apps.18694.9007199266247846.b5c49955-e050-4553-b8e4-0e223ed6c5a1.4e8e78d2-c2c2-4c02-8d8c-46ac3b2419e7?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.15445.9007199266246197.1102bb94-3d65-417b-bd4a-5e4abd0fc759.383d8ea0-4240-4554-8a60-3d075579c48e?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.16574.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.6a6f592e-efa9-4bb0-b008-7c3422ab3313?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 20 Apr 2017 16:10:39 GMTUser-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
            Source: global trafficHTTP traffic detected: GET /image/apps.18858.9007199266246227.c596c546-6fcb-4260-935c-19bc24b971ef.1b03c26f-1753-4221-9ab1-4581f098723d?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.2052.9007199266247846.b5c49955-e050-4553-b8e4-0e223ed6c5a1.a0c3decd-308f-4f06-bcfb-2aa4f3afe248?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.20893.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.acc28f88-50de-4aaf-abfc-ad1da8b04cd0?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.256.14495311847124170.e89a4dce-fd9a-4a10-b8e4-a6c3aa1c055e.ca4cbefc-0ab0-4144-90c1-07f5250c8c21?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.23911.9007199266246197.1102bb94-3d65-417b-bd4a-5e4abd0fc759.1357e1bf-d617-4272-ae74-1ad5e64df828?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.40093.9007199266285780.3d16d9fa-052b-42c5-ba7d-a5688e3dda24.e6964d6a-18a4-4746-9238-9f0acc233a65?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.37827.13753891519397067.09276afb-06f9-44a1-b0d9-b027aaf639b5.96a6ae2c-a3e2-4b3c-8de1-2a17df388872?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.39478.14495311847124170.e89a4dce-fd9a-4a10-b8e4-a6c3aa1c055e.8ad1b690-ff36-44fa-8afc-0dc5bed1273c?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.49525.13510798887047136.8a1815b2-017c-48c8-80cc-ca4d1ae5c8cf.2f6b9bdf-a4fc-42d8-aea0-65c437755b78?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.49856.13753891519397067.09276afb-06f9-44a1-b0d9-b027aaf639b5.44e51362-f63c-4737-878e-9c83ae307c47?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.58298.9007199266285780.3d16d9fa-052b-42c5-ba7d-a5688e3dda24.55988ee1-bd9b-4322-980a-a610abdc7713?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.616.13510798887047136.8a1815b2-017c-48c8-80cc-ca4d1ae5c8cf.d81cfd95-c9fd-48e0-8fc3-36ff7b9e590a?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.61697.13655054093851568.ecfc3d57-8aa7-49f2-8c4c-10a73f65d318.de2c41ce-3a62-4a3f-9eb5-bf27a7b31a57?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.64128.9007199266246227.c596c546-6fcb-4260-935c-19bc24b971ef.d58015ff-2fcf-4113-975b-e873039b6d86?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.11554.13576748414566955.ddf411cf-737c-4c89-8b37-cb8d28921c17.e0987182-8d6c-458c-befd-5dda1218b08e?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.16957.14618985536919905.4b30e4f3-f7a1-4421-840c-2cc97b10e8e0.aef04b90-a221-4ea5-a05d-0d51ac792471?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.18124.9007199266244427.c75d2ced-a383-40dc-babd-1ad2ceb13c86.afc6c372-c7a8-4eda-94fb-541bbb081d14?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.31377.13925855090824389.5d8469ac-bd06-459d-aeb3-ac562357124f.715204a1-f65d-4d02-859d-2a63864bf401?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.38957.9007199266246761.3059e916-5e99-4797-a868-366cc8761e37.dcc9368c-4c77-41a2-b867-8514435d8418?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.39016.9007199266243744.36dde9d0-f21a-47d2-976e-f1ea3f5b031f.bbea1229-a466-4a8c-b428-57cb58abf084?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.41671.13634052595610511.c45457c9-b4af-46b0-8e61-8d7c0aec3f56.86b1d82d-8b47-4bda-99fc-8a1db0a7ac9d?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.43423.13510798883386282.9283c867-e87c-44e6-8b74-26c2744befb9.e2e1f371-e658-4ebc-afda-254d7c8f9a8e?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.47231.13510798883386282.03d5627f-a416-4073-8989-ce5891d3a285.f7f2ba18-f7d5-4307-85b3-dba28f22a8bb?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.5075.9007199266244427.c75d2ced-a383-40dc-babd-1ad2ceb13c86.f329a73d-1ae8-4445-aa4c-bf40f3c5d62d?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.51843.9007199266243449.90709ce3-050c-4cef-8d4a-9ef213b89ef2.c13e8407-eaf8-447a-a5d6-9abd8bc2c1f3?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.52481.9007199266243744.36dde9d0-f21a-47d2-976e-f1ea3f5b031f.16c0a704-aef8-4bc4-af36-0c3b3ee0f6e2?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.54145.14618985536919905.4b30e4f3-f7a1-4421-840c-2cc97b10e8e0.0df01b4e-7fca-47eb-b3d7-95ba7990754d?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.54562.13634052595610511.c45457c9-b4af-46b0-8e61-8d7c0aec3f56.24af4abe-62f8-404b-b1a9-ee8fe4d32d94?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.55990.13510798886747090.a0953092-5fc3-46f0-aefa-796cb3a9b90b.1c9f2174-7e18-48ba-af90-e569a2444a83?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.58878.9007199266246761.3059e916-5e99-4797-a868-366cc8761e37.21987aba-4948-4f44-bf2e-eba90517f1c5?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.59367.13510798885854323.dbec43fa-fcea-4036-9b1c-96de66922c18.da850a8e-5b3f-49fd-b3dc-6a8c0db400e4?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.5940.13925855090824389.5d8469ac-bd06-459d-aeb3-ac562357124f.4188e018-d924-474d-ad09-e02db690d34f?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.62687.13510798885854323.6a8c11ad-84e9-4247-9ba9-ab3742bdbb87.e61dfadd-3bdd-4f66-beb1-6bb763b60b02?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.7873.9007199266243449.90709ce3-050c-4cef-8d4a-9ef213b89ef2.7885dc21-4015-4284-a596-d3d24cf6c1b8?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.8341.13510798886747090.a0953092-5fc3-46f0-aefa-796cb3a9b90b.fc0c6be7-c064-44dc-a7df-81e7097e3c93?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /image/apps.8607.13576748414566955.ddf411cf-737c-4c89-8b37-cb8d28921c17.c26d58e8-2d33-4e9a-bf78-e22de319ec46?format=source HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: store-images.s-microsoft.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /~r/nevvk/~3/fAU-x0IFuyI/tumor.php HTTP/1.1Host: feedproxy.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /tumor.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nevvk+%28triceratopsrandomize%29 HTTP/1.1Host: dulhagharnh.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /tumor.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nevvk+%28triceratopsrandomize%29 HTTP/1.1Host: dulhagharnh.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://dulhagharnh.com/tumor.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nevvk+%28triceratopsrandomize%29Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: d=-420; n=America/Los_Angeles
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dulhagharnh.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: http://dulhagharnh.com/tumor.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nevvk+%28triceratopsrandomize%29Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: d=-420; n=America/Los_Angeles
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache

            System Summary:

            barindex
            Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
            Source: 050f82c7-4e89-446c-bca6-18d324bf33a1.tmp.2.drStream path 'Macros/VBA/Module1' : found possibly 'ADODB.Stream' functions open, read, write
            Document contains an embedded VBA macro which may execute processesShow sources
            Source: 050f82c7-4e89-446c-bca6-18d324bf33a1.tmp.2.drOLE, VBA macro line: mySum = Application.Run("ppl")
            Office process drops PE fileShow sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap (copy)Jump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\gelfor.dapJump to dropped file
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_6524CD4011_2_6524CD40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_6523254F11_2_6523254F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65245D8F11_2_65245D8F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_6524E5F311_2_6524E5F3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65244C7011_2_65244C70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65232C7511_2_65232C75
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65231C7D11_2_65231C7D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_652327AC11_2_652327AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65231EAC11_2_65231EAC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_652320E611_2_652320E6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_6523231511_2_65232315
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_65232A1811_2_65232A18
            Source: 050f82c7-4e89-446c-bca6-18d324bf33a1.tmp.2.drOLE, VBA macro line: Private Sub Document_Open()
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php'
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1904 /prefetch:8
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4924 /prefetch:8
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o ''
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1904 /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1552,8249347436708420148,3166393392138617349,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4924 /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o ''Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLDJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-616F9194-1A70.pmaJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\4c765350-34b1-4ba6-8bce-0b69fb532289.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.win@43/262@9/11
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior