IOC Report

loading gif

Files

File Path
Type
Category
Malicious
survey-1384723731.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 25 10:07:14 2021, Security: 0
initial sample
malicious
C:\Users\user\Desktop\survey-1384723731.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 25 10:07:14 2021, Security: 0
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CBFF3701-7631-452C-BE3A-4FA719E7E49C
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DB32F834.tmp
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF914C0A2C8AFAF4B5.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFD6AFEF8B4ED1CD1D.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\91C4.tmp
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF22AC4F44EF579D15.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF8E36D078DBA15E72.TMP
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
malicious
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
malicious
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
malicious
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
malicious
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
malicious

URLs

Name
IP
Malicious
https://api.diagnosticssdf.office.com
unknown
clean
https://login.microsoftonline.com/
unknown
clean
https://shell.suite.office.com:1443
unknown
clean
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
clean
https://autodiscover-s.outlook.com/
unknown
clean
https://roaming.edog.
unknown
clean
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
clean
https://cdn.entity.
unknown
clean
https://api.addins.omex.office.net/appinfo/query
unknown
clean
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
clean
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
clean
https://powerlift.acompli.net
unknown
clean
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
clean
https://lookup.onenote.com/lookup/geolocation/v1
unknown
clean
https://cortana.ai
unknown
clean
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://cloudfiles.onenote.com/upload.aspx
unknown
clean
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
clean
https://entitlement.diagnosticssdf.office.com
unknown
clean
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
clean
https://api.aadrm.com/
unknown
clean
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
clean
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
clean
https://api.microsoftstream.com/api/
unknown
clean
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
clean
https://cr.office.com
unknown
clean
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
unknown
clean
https://portal.office.com/account/?ref=ClientMeControl
unknown
clean
https://graph.ppe.windows.net
unknown
clean
https://res.getmicrosoftkey.com/api/redemptionevents
unknown
clean
https://powerlift-frontdesk.acompli.net
unknown
clean
https://tasks.office.com
unknown
clean
https://officeci.azurewebsites.net/api/
unknown
clean
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
unknown
clean
https://store.office.cn/addinstemplate
unknown
clean
https://api.aadrm.com
unknown
clean
https://outlook.office.com/autosuggest/api/v1/init?cvid=
unknown
clean
https://globaldisco.crm.dynamics.com
unknown
clean
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://dev0-api.acompli.net/autodetect
unknown
clean
https://www.odwebp.svc.ms
unknown
clean
https://api.powerbi.com/v1.0/myorg/groups
unknown
clean
https://web.microsoftstream.com/video/
unknown
clean
https://api.addins.store.officeppe.com/addinstemplate
unknown
clean
https://graph.windows.net
unknown
clean
https://dataservice.o365filtering.com/
unknown
clean
https://officesetup.getmicrosoftkey.com
unknown
clean
https://analysis.windows.net/powerbi/api
unknown
clean
https://prod-global-autodetect.acompli.net/autodetect
unknown
clean
https://outlook.office365.com/autodiscover/autodiscover.json
unknown
clean
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
unknown
clean
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
unknown
clean
https://ncus.contentsync.
unknown
clean
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
unknown
clean
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
unknown
clean
https://srkcampus.org/OYcMRJbL/ji.html
192.185.129.7
clean
http://weather.service.msn.com/data.aspx
unknown
clean
https://apis.live.net/v5.0/
unknown