IOC Report

loading gif

Files

File Path
Type
Category
Malicious
payment8642156.xlsb
Microsoft Excel 2007+
initial sample
malicious
C:\ProgramData\XgQXeAWeoOU.rtf
HTML document, ASCII text, with very long lines, with CRLF line terminators
dropped
malicious
C:\Users\user\Desktop\~$payment8642156.xlsb
data
dropped
malicious
C:\ProgramData\pXJSNz.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\89313E5E-CC0C-4CD1-B945-313065E02B9E
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\274B0EB1.png
PNG image data, 288 x 44, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\55F344FE.png
PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7A5B4E7.tmp
Microsoft Excel 2007+
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
ASCII text, with no line terminators
dropped
clean
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
ASCII text, with no line terminators
downloaded
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32440B49.png
PNG image data, 288 x 44, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C414A8B6.png
PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Temp\5E36.tmp
Microsoft Excel 2007+
dropped
clean
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\SysWOW64\wbem\WMIC.exe
wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"
malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\System32\wbem\WMIC.exe
wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\mshta.exe
mshta C:\ProgramData\XgQXeAWeoOU.rtf
clean

URLs

Name
IP
Malicious
https://api.diagnosticssdf.office.com
unknown
clean
https://login.microsoftonline.com/
unknown
clean
https://shell.suite.office.com:1443
unknown
clean
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
clean
https://autodiscover-s.outlook.com/
unknown
clean
https://roaming.edog.
unknown
clean
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
clean
https://cdn.entity.
unknown
clean
https://api.addins.omex.office.net/appinfo/query
unknown
clean
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
clean
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
clean
https://powerlift.acompli.net
unknown
clean
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
clean
https://lookup.onenote.com/lookup/geolocation/v1
unknown
clean
https://cortana.ai
unknown
clean
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://cloudfiles.onenote.com/upload.aspx
unknown
clean
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
clean
https://entitlement.diagnosticssdf.office.com
unknown
clean
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
clean
https://api.aadrm.com/
unknown
clean
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
clean
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
clean
https://api.microsoftstream.com/api/
unknown
clean
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
clean
https://cr.office.com
unknown
clean
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
unknown
clean
https://portal.office.com/account/?ref=ClientMeControl
unknown
clean
https://graph.ppe.windows.net
unknown
clean
https://res.getmicrosoftkey.com/api/redemptionevents
unknown
clean
https://powerlift-frontdesk.acompli.net
unknown
clean
https://tasks.office.com
unknown
clean
https://officeci.azurewebsites.net/api/
unknown
clean
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
unknown
clean
https://store.office.cn/addinstemplate
unknown
clean
https://api.aadrm.com
unknown
clean
https://outlook.office.com/autosuggest/api/v1/init?cvid=
unknown
clean
https://globaldisco.crm.dynamics.com
unknown
clean
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://dev0-api.acompli.net/autodetect
unknown
clean
https://www.odwebp.svc.ms
unknown
clean
https://api.powerbi.com/v1.0/myorg/groups
unknown
clean
https://web.microsoftstream.com/video/
unknown
clean
https://api.addins.store.officeppe.com/addinstemplate
unknown
clean
https://graph.windows.net
unknown
clean
https://dataservice.o365filtering.com/
unknown
clean
https://officesetup.getmicrosoftkey.com
unknown
clean
https://analysis.windows.net/powerbi/api
unknown
clean
https://prod-global-autodetect.acompli.net/autodetect
unknown
clean
https://outlook.office365.com/autodiscover/autodiscover.json
unknown
clean
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
unknown
clean
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
unknown
clean
https://ncus.contentsync.
unknown
clean