Windows Analysis Report http://zindagidesire.org/quodoptio/omnissunt-6533473

Overview

General Information

Sample URL: http://zindagidesire.org/quodoptio/omnissunt-6533473
Analysis ID: 528479
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B7h 6_2_019302A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B6h 6_2_019302A8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 10:04:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 157x-powered-by: PHP/7.4.25set-cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-encoding: gzipvary: Accept-Encodingx-turbo-charged-by: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 41 0e 82 30 10 45 af d2 74 53 58 d8 1e c0 a1 89 26 2e 3c 81 eb d2 69 64 02 74 0a 0c 24 78 7a 03 ba 7b f9 8b f7 1f 74 32 0e 1e 5a c6 dd 03 d2 a6 08 1b 9d 7b ad 50 2e b9 6f b4 9b 56 46 2e 42 ec 62 17 66 59 ec 87 8a f6 e0 90 36 0f 4b 9c a9 88 1f 38 06 21 ce b6 04 e9 72 18 93 6a 14 72 5c c7 94 c5 be 93 3c 86 74 e0 7d 7f 62 65 72 6f ea 63 bc 89 cc d4 ae 92 2a 73 7e 99 fa 0a ee 2f 04 f7 0b 72 67 dd 2b 90 58 6b bf 89 48 4c 09 ab 00 00 00 Data Ascii: -A0EtSX&.<idt$xz{t2Z{P.oVF.BbfY6K8!rjr\<t}beroc*s~/rg+XkHL
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 13768Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 0Connection: close
Source: angular.js.1.dr String found in binary or memory: http://angularjs.org
Source: angular.js.1.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr String found in binary or memory: http://llvm.org/):
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Current Session.1.dr String found in binary or memory: http://zindagidesire.org
Source: 000003.log2.1.dr, data_1.3.dr, omnissunt-6533473.zip_Zone.Identifier.5.dr String found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip8
Source: Current Session.1.dr, omnissunt-6533473.zip_Zone.Identifier.5.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJP
Source: 000003.log2.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJPZ
Source: History Provider Cache.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334732
Source: Current Session.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473T
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473Waiting
Source: History.1.dr String found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473http://zindagidesire.org/quodoptio/omnissunt-653
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.aadrm.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.aadrm.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.office.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.onedrive.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com/v2
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/t
Source: Current Session.1.dr String found in binary or memory: https://bitninja.io/uK
Source: mirroring_common.js.1.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.entity.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients6.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: manifest.json0.1.dr String found in binary or memory: https://content.googleapis.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cortana.ai/api
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://cr.office.com
Source: common.js.1.dr, mirroring_cast_streaming.js.1.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://devnull.onenote.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://directory.services.
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr, 2a7aed8c-4eda-40e5-b19d-b48f80025ee3.tmp.3.dr, 48f98a2f-5bb4-4d43-b4ab-b2450b661240.tmp.3.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.1.dr String found in binary or memory: https://docs.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: manifest.json0.1.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.gstatic.com;
Source: angular.js.1.dr, material_css_min.css.1.dr String found in binary or memory: https://github.com/angular/material
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.ppe.windows.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.windows.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://graph.windows.net/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://lifecycle.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.microsoftonline.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.local
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://management.azure.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://management.azure.com/
Source: mirroring_common.js.1.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://meetings.clients6.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://messaging.office.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ncus.contentsync.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: mirroring_common.js.1.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officeapps.live.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://ogs.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://osi.office.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://otelrules.azureedge.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerlift.acompli.net
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com
Source: data_1.3.dr String found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.3.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://roaming.edog.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://settings.outlook.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://ssl.gstatic.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://staging.cortana.ai
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://tasks.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://webshell.suite.office.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://wus2.contentsync.
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://www.google.com
Source: manifest.json.1.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json0.1.dr String found in binary or memory: https://www.google.com;
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, craw_background.js.1.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr, craw_window.js.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.1.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json0.1.dr String found in binary or memory: https://www.gstatic.com;
Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: zindagidesire.org
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /aQ6mO5EsFPz/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: magnascakes.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oqxIAZfo56z/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sherwinclothing.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utGI12nl/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: microtechzambia.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/omnissunt-6533473 HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /quodoptio/charts.zip HTTP/1.1Host: zindagidesire.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://zindagidesire.org/quodoptio/omnissunt-6533473Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: unarchiver.exe, 00000006.00000002.636901642.000000000153B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_019302A8 6_2_019302A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_01930298 6_2_01930298
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://zindagidesire.org/quodoptio/omnissunt-6533473
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\omnissunt-6533473.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FDE16-1A14.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\6a89d196-4ec6-4dc8-b8ae-b18f1e635151.tmp Jump to behavior
Source: classification engine Classification label: mal52.expl.win@52/266@8/13
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4668 Thread sleep count: 155 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4668 Thread sleep time: -77500s >= -30000s Jump to behavior
Source: cmd.exe, 0000000A.00000002.637355711.000000000366B000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\5I
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls, type: DROPPED
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000006.00000002.637238920.0000000001CE0000.00000002.00020000.sdmp, cmd.exe, 0000000A.00000002.637669924.00000000040C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior