Loading ...

Play interactive tourEdit tour

Windows Analysis Report http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055

Overview

General Information

Sample URL:http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055
Analysis ID:527982
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 676 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 4580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,3653659809805504951,3020769216982181712,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1956 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1528,3653659809805504951,3020769216982181712,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=6296 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\laboriosampariatur-6199055.zip MD5: 1BFD96908AB2C114F24ABAF0CB630007)
      • 7za.exe (PID: 6708 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\webwcryn.4k5" "C:\Users\user\Downloads\laboriosampariatur-6199055.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7040 cmdline: cmd.exe" /C "C:\Users\user\AppData\Local\Temp\webwcryn.4k5\new-2048176346.xls MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EXCEL.EXE (PID: 6744 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde MD5: 5D6638F2C8F8571C593999C58866007E)
          • regsvr32.exe (PID: 6776 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 6988 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 992 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\webwcryn.4k5\new-2048176346.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3c8aa:$s1: Excel
  • 0x3d978:$s1: Excel
  • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\webwcryn.4k5\new-2048176346.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6744, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 6776

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\676_1656799962\LICENSE.txtJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.6:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.6:49791 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.161.44.139:443 -> 192.168.2.6:49793 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04FA09B7h3_2_04FA02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04FA09B6h3_2_04FA02A8
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Nov 2021 15:35:06 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=3c72e16f941ae5f1bcfbef6113cbb59a; path=/Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingContent-Encoding: gzipContent-Length: 175Keep-Alive: timeout=5, max=75Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 4d 0e 82 30 18 44 af d2 74 03 2c 68 11 a3 2e 2c 4d 34 71 e1 09 5c 97 b6 91 86 fe 59 be 92 e0 e9 15 74 37 99 64 de 3c 36 80 b3 9c f5 41 2d 9c 29 33 23 a3 3a ec 47 8c 14 d4 7e ec 30 9d 83 cd 11 c4 f4 ca 66 a2 32 78 d0 2e 86 24 d2 52 b7 fb 63 d3 1e 4e cd 8e bc 4d c4 9c d1 ef 9c b3 49 26 13 81 db 20 05 98 e0 49 14 30 78 e1 34 ea 90 0a 32 3b ed 81 3c 35 dc ac 5e e3 75 b9 ab b2 f0 63 51 ad e5 05 20 99 3e 83 2e 8b ed be a8 ce 8c fe 81 8c fe 1c e9 26 fc 10 06 08 21 1f d0 6a 15 95 be 00 00 00 Data Ascii: -M0Dt,h.,M4q\Yt7d<6A-)3#:G~0f2x.$RcNMI& I0x42;<5^ucQ >.&!j
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Filtering Rules.0.dr, Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: Filtering Rules.0.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
    Source: angular.js.0.drString found in binary or memory: http://angularjs.org
    Source: angular.js.0.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: data_1.1.dr, 000003.log2.0.dr, laboriosampariatur-6199055.zip_Zone.Identifier.2.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/contemporary-236025701.zip
    Source: History.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/contemporary-236025701.zipL
    Source: History.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055
    Source: History.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055/0(m
    Source: History Provider Cache.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-61990552
    Source: History Provider Cache.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-61990552:
    Source: History.0.drString found in binary or memory: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055http://vulkanbonus.karmaguru.
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: manifest.json1.0.dr, 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.aadrm.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.aadrm.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.cortana.ai
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.diagnostics.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.office.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.onedrive.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: manifest.json1.0.dr, 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: mirroring_common.js.0.drString found in binary or memory: https://apis.google.com/js/client.js
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://augloop.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://augloop.office.com/v2
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: mirroring_common.js.0.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cdn.entity.
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://clients.config.office.net/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.0.dr, mirroring_cast_streaming.js.0.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json1.0.dr, manifest.json.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients6.google.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://config.edge.skype.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: manifest.json1.0.drString found in binary or memory: https://content.googleapis.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cortana.ai
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cortana.ai/api
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://cr.office.com
    Source: mirroring_cast_streaming.js.0.dr, common.js.0.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
    Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/.
    Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dev.cortana.ai
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://devnull.onenote.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://directory.services.
    Source: 032bd314-c0ad-43ff-859e-805db691f873.tmp.1.dr, 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.dr, 5314b2be-46f0-4012-8f43-eed4843e1078.tmp.1.drString found in binary or memory: https://dns.google
    Source: mirroring_common.js.0.drString found in binary or memory: https://docs.google.com
    Source: LICENSE.txt.0.drString found in binary or memory: https://easylist.to/)
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: manifest.json1.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json1.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json1.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: material_css_min.css.0.dr, angular.js.0.drString found in binary or memory: https://github.com/angular/material
    Source: LICENSE.txt.0.drString found in binary or memory: https://github.com/easylist)
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://graph.ppe.windows.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://graph.windows.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://graph.windows.net/
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://lifecycle.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://login.microsoftonline.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://login.windows.local
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://management.azure.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://management.azure.com/
    Source: mirroring_common.js.0.drString found in binary or memory: https://meet.google.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://meetings.clients6.google.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://messaging.office.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ncus.contentsync.
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: mirroring_common.js.0.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://officeapps.live.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://onedrive.live.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://osi.office.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://otelrules.azureedge.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office365.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office365.com/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://powerlift.acompli.net
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.drString found in binary or memory: https://r1---sn-1gieen7e.gvt1.com
    Source: data_3.1.drString found in binary or memory: https://r1---sn-1gieen7e.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: data_1.1.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://roaming.edog.
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://settings.outlook.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://staging.cortana.ai
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: messages.json41.0.dr, messages.json15.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, feedback.html.0.dr, messages.json75.0.dr, messages.json71.0.dr, messages.json73.0.dr, messages.json27.0.dr, messages.json83.0.dr, messages.json79.0.dr, messages.json25.0.dr, messages.json82.0.dr, messages.json74.0.dr, messages.json0.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json18.0.dr, messages.json76.0.dr, messages.json.0.dr, messages.json80.0.dr, messages.json43.0.dr, messages.json28.0.dr, messages.json10.0.dr, messages.json8.0.dr, messages.json78.0.dr, messages.json2.0.dr, messages.json81.0.dr, messages.json31.0.dr, messages.json77.0.dr, messages.json11.0.dr, messages.json26.0.dr, messages.json6.0.dr, messages.json72.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json30.0.dr, messages.json84.0.dr, messages.json12.0.dr, messages.json4.0.dr, messages.json19.0.dr, messages.json40.0.dr, messages.json16.0.dr, messages.json24.0.dr, messages.json17.0.dr, messages.json13.0.dr, messages.json42.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.dr, messages.json15.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, feedback.html.0.dr, messages.json75.0.dr, messages.json71.0.dr, messages.json73.0.dr, messages.json27.0.dr, messages.json83.0.dr, messages.json79.0.dr, messages.json25.0.dr, messages.json82.0.dr, messages.json74.0.dr, messages.json0.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json18.0.dr, messages.json76.0.dr, messages.json.0.dr, messages.json80.0.dr, messages.json43.0.dr, messages.json28.0.dr, messages.json10.0.dr, messages.json8.0.dr, messages.json78.0.dr, messages.json2.0.dr, messages.json81.0.dr, messages.json31.0.dr, messages.json77.0.dr, messages.json11.0.dr, messages.json26.0.dr, messages.json6.0.dr, messages.json72.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json30.0.dr, messages.json84.0.dr, messages.json12.0.dr, messages.json4.0.dr, messages.json19.0.dr, messages.json40.0.dr, messages.json16.0.dr, messages.json24.0.dr, messages.json17.0.dr, messages.json13.0.dr, messages.json42.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://tasks.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://webshell.suite.office.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://wus2.contentsync.
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: manifest.json1.0.dr, 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/cleardot.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/dot2.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/x2.gif
    Source: craw_background.js.0.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: feedback_script.js.0.drString found in binary or memory: https://www.google.com/tools/feedback
    Source: manifest.json1.0.drString found in binary or memory: https://www.google.com;
    Source: craw_window.js.0.dr, craw_background.js.0.dr, 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: mirroring_common.js.0.drString found in binary or memory: https://www.googleapis.com/calendar/v3
    Source: mirroring_common.js.0.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
    Source: 10dd846f-83bc-4342-a3d3-76d079f9b9d7.tmp.1.dr, 248a4332-23c1-4649-800c-6c44f31cf0a5.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: common.js.0.drString found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
    Source: manifest.json1.0.drString found in binary or memory: https://www.gstatic.com;
    Source: F90B3D14-54E1-4326-A222-CA0FF043C276.10.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /GD7A3PSD4zc/tw.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: orthomay.com.brConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ag2DVqIM/w.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: quebradadigital.com.brConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /UnE5kOnX/tw.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mustafakhafimsp.afConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /voluptasquis/laboriosampariatur-6199055 HTTP/1.1Host: vulkanbonus.karmaguru.inConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /voluptasquis/contemporary-236025701.zip HTTP/1.1Host: vulkanbonus.karmaguru.inConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://vulkanbonus.karmaguru.in/voluptasquis/laboriosampariatur-6199055Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=3c72e16f941ae5f1bcfbef6113cbb59a
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.6:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.6:49791 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.161.44.139:443 -> 192.168.2.6:49793 version: TLS 1.2

    System Summary:

    barindex
    Source: C:\Users\user\AppData\Local\Temp\webwcryn.4k5\new-2048176346.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll