Windows Analysis Report http://zindagidesire.org/quodoptio/omnissunt-6533473

Overview

General Information

Sample URL: http://zindagidesire.org/quodoptio/omnissunt-6533473
Analysis ID: 528479
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B7h 6_2_019302A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B6h 6_2_019302A8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 10:04:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 157x-powered-by: PHP/7.4.25set-cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-encoding: gzipvary: Accept-Encodingx-turbo-charged-by: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 41 0e 82 30 10 45 af d2 74 53 58 d8 1e c0 a1 89 26 2e 3c 81 eb d2 69 64 02 74 0a 0c 24 78 7a 03 ba 7b f9 8b f7 1f 74 32 0e 1e 5a c6 dd 03 d2 a6 08 1b 9d 7b ad 50 2e b9 6f b4 9b 56 46 2e 42 ec 62 17 66 59 ec 87 8a f6 e0 90 36 0f 4b 9c a9 88 1f 38 06 21 ce b6 04 e9 72 18 93 6a 14 72 5c c7 94 c5 be 93 3c 86 74 e0 7d 7f 62 65 72 6f ea 63 bc 89 cc d4 ae 92 2a 73 7e 99 fa 0a ee 2f 04 f7 0b 72 67 dd 2b 90 58 6b bf 89 48 4c 09 ab 00 00 00 Data Ascii: -A0EtSX&.<idt$xz{t2Z{P.oVF.BbfY6K8!rjr\<t}beroc*s~/rg+XkHL
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 13768Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 0Connection: close
Source: angular.js.1.dr String found in binary or memory: http://angularjs.org
Source: angular.js.1.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr String found in binary or memory: http://llvm.org/):
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Current Session.1.dr String found in binary or memory: http://zindagidesire.org
Source: 000003.log2.1.dr, data_1.3.dr, omnissunt-6533473.zip_Zone.Identifier.5.dr String found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip8
Source: Current Session.1.dr, omnissunt-6533473.zip_Zone.Identifier.5.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJP
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJPZ
Source: History Provider Cache.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334732
Source: Current Session.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473T
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473Waiting
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473http://zindagidesire.org/quodoptio/omnissunt-653
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.aadrm.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.aadrm.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.office.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.onedrive.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com/v2
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/t
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/uK
Source: mirroring_common.js.1.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.entity.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients6.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: manifest.json0.1.dr String found in binary or memory: https://content.googleapis.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cortana.ai/api
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cr.office.com
Source: common.js.1.dr, mirroring_cast_streaming.js.1.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://devnull.onenote.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://directory.services.
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr, 2a7aed8c-4eda-40e5-b19d-b48f80025ee3.tmp.3.dr, 48f98a2f-5bb4-4d43-b4ab-b2450b661240.tmp.3.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.1.dr String found in binary or memory: https://docs.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: manifest.json0.1.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.gstatic.com;
Source: angular.js.1.dr, material_css_min.css.1.dr String found in binary or memory: https://github.com/angular/material
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.ppe.windows.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.windows.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.windows.net/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://lifecycle.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.microsoftonline.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.local
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://management.azure.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://management.azure.com/
Source: mirroring_common.js.1.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://meetings.clients6.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://messaging.office.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ncus.contentsync.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: mirroring_common.js.1.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officeapps.live.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://ogs.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://osi.office.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://otelrules.azureedge.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerlift.acompli.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com
Source: data_1.3.dr String found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.3.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://roaming.edog.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://settings.outlook.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://ssl.gstatic.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://staging.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://tasks.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://webshell.suite.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://wus2.contentsync.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://www.google.com
Source: manifest.json.1.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json0.1.dr String found in binary or memory: https://www.google.com;
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, craw_background.js.1.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr, craw_window.js.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.1.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json0.1.dr String found in binary or memory: https://www.gstatic.com;
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: zindagidesire.org
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /aQ6mO5EsFPz/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: magnascakes.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oqxIAZfo56z/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sherwinclothing.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utGI12nl/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: microtechzambia.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/charts.zip HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: unarchiver.exe, 00000006.00000002.636901642.000000000153B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_019302A8 6_2_019302A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_01930298 6_2_01930298
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://zindagidesire.org/quodoptio/omnissunt-6533473
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\omnissunt-6533473.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FDE16-1A14.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\6a89d196-4ec6-4dc8-b8ae-b18f1e635151.tmp Jump to behavior
Source: classification engine Classification label: mal52.expl.win@52/266@8/13
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4668 Thread sleep count: 155 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4668 Thread sleep time: -77500s >= -30000s Jump to behavior
Source: cmd.exe, 0000000A.00000002.637355711.000000000366B000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\5I
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls, type: DROPPED
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528479 URL: http://zindagidesire.org/qu... Startdate: 25/11/2021 Architecture: WINDOWS Score: 52 64 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->64 66 Document exploit detected (process start blacklist hit) 2->66 68 Yara detected hidden Macro 4.0 in Excel 2->68 9 chrome.exe 18 421 2->9         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 9->46 48 192.168.2.6 unknown unknown 9->48 50 2 other IPs or domains 9->50 40 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 9->40 dropped 42 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 9->42 dropped 44 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 9->44 dropped 13 unarchiver.exe 5 9->13         started        15 chrome.exe 16 9->15         started        18 chrome.exe 1 1 9->18         started        file5 process6 dnsIp7 20 7za.exe 2 13->20         started        23 cmd.exe 7 2 13->23         started        58 zindagidesire.org 168.119.36.203, 49740, 49741, 49756 HETZNER-ASDE Germany 15->58 60 clients.l.google.com 142.250.203.110, 443, 49739, 52131 GOOGLEUS United States 15->60 62 6 other IPs or domains 15->62 process8 file9 38 C:\Users\user\AppData\...\favor-331256589.xls, Composite 20->38 dropped 25 conhost.exe 20->25         started        27 EXCEL.EXE 23 38 23->27         started        30 conhost.exe 23->30         started        process10 dnsIp11 52 magnascakes.com.br 108.179.253.213, 443, 49803 UNIFIEDLAYER-AS-1US United States 27->52 54 microtechzambia.com 142.4.29.152, 443, 49805 UNIFIEDLAYER-AS-1US United States 27->54 56 sherwinclothing.in 103.53.42.241, 443, 49804 PUBLIC-DOMAIN-REGISTRYUS India 27->56 32 regsvr32.exe 27->32         started        34 regsvr32.exe 27->34         started        36 regsvr32.exe 27->36         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.53.42.241
 sherwinclothing.in India
394695 PUBLIC-DOMAIN-REGISTRYUS false
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
168.119.36.203
 zindagidesire.org Germany
24940 HETZNER-ASDE false
172.217.168.45
 accounts.google.com United States
15169 GOOGLEUS false
108.179.253.213
 magnascakes.com.br United States
46606 UNIFIEDLAYER-AS-1US false
142.250.203.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
164.68.112.8
 bitninja.io Germany
51167 CONTABODE false
142.4.29.152
 microtechzambia.com United States
46606 UNIFIEDLAYER-AS-1US false

Private
IP
192.168.2.1
192.168.2.7
192.168.2.6
127.0.0.1

Contacted Domains

Name IP Active
microtechzambia.com 142.4.29.152 true
bitninja.io 164.68.112.8 true
accounts.google.com 172.217.168.45 true
magnascakes.com.br 108.179.253.213 true
sherwinclothing.in 103.53.42.241 true
clients.l.google.com 142.250.203.110 true
zindagidesire.org 168.119.36.203 true
googlehosted.l.googleusercontent.com 142.250.203.97 true
clients2.googleusercontent.com unknown unknown
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://magnascakes.com.br/aQ6mO5EsFPz/yh.html false
  • Avira URL Cloud: safe
 unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    https://microtechzambia.com/utGI12nl/yh.html false
    • Avira URL Cloud: safe
    		 unknown
    https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
      		high
      http://zindagidesire.org/quodoptio/omnissunt-6533473 false
        		unknown