Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
message_tracking_1655942871715.xlsx

Overview

General Information

Sample Name:message_tracking_1655942871715.xlsx
Analysis ID:651264
MD5:f58a136e486dfe359bbe2edca42fcd9b
SHA1:fd61fe4344e019499a9f6374bf8675f0204aa115
SHA256:596f05e887818b885e18ed3d5f3f46ed06d128c087aa2c294cffeecb9be212de
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

No high impact signatures.

Classification

  • System is w10x64
  • EXCEL.EXE (PID: 7108 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.aadrm.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.aadrm.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.cortana.ai
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.office.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.onedrive.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://augloop.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cdn.entity.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://config.edge.skype.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cortana.ai
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cortana.ai/api
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://cr.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dev.cortana.ai
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://devnull.onenote.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://directory.services.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://graph.windows.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://graph.windows.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://invites.office.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://lifecycle.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://login.windows.local
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://management.azure.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://management.azure.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://messaging.office.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ncus.contentsync.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://officeapps.live.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://onedrive.live.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://osi.office.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office365.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office365.com/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://roaming.edog.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://settings.outlook.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://staging.cortana.ai
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://tasks.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://wus2.contentsync.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 14FAC50B-DCF4-41CB-B655-19278342466F.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{DE3C6A9C-0534-433A-8810-7B33C4ACE160} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: classification engineClassification label: clean0.winXLSX@1/1@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: message_tracking_1655942871715.xlsxJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://roaming.edog.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
    high
    https://login.microsoftonline.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
      high
      https://shell.suite.office.com:144314FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
          high
          https://autodiscover-s.outlook.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
            high
            https://roaming.edog.14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
            • URL Reputation: safe
            unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
              high
              https://cdn.entity.14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkey14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                    high
                    https://powerlift.acompli.net14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v114FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                      high
                      https://cortana.ai14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                high
                                https://api.aadrm.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                      high
                                      https://cr.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                        high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                        • Avira URL Cloud: safe
                                        low
                                        https://portal.office.com/account/?ref=ClientMeControl14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                          high
                                          https://graph.ppe.windows.net14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptionevents14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.net14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplate14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://api.aadrm.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                      high
                                                      https://dev0-api.acompli.net/autodetect14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.ms14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.diagnosticssdf.office.com/v2/feedback14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                        high
                                                        https://api.powerbi.com/v1.0/myorg/groups14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                            high
                                                            https://api.addins.store.officeppe.com/addinstemplate14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://graph.windows.net14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                      high
                                                                      https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                          high
                                                                          https://ncus.contentsync.14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspx14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                    high
                                                                                    https://messaging.lifecycle.office.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                      high
                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                        high
                                                                                        https://management.azure.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                          high
                                                                                          https://outlook.office365.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                            high
                                                                                            https://wus2.contentsync.14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://incidents.diagnostics.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                              high
                                                                                              https://clients.config.office.net/user/v1.0/ios14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                high
                                                                                                https://insertmedia.bing.office.net/odc/insertmedia14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                  high
                                                                                                  https://o365auditrealtimeingestion.manage.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                    high
                                                                                                    https://outlook.office365.com/api/v1.0/me/Activities14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                      high
                                                                                                      https://api.office.net14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                        high
                                                                                                        https://incidents.diagnosticssdf.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                          high
                                                                                                          https://asgsmsproxyapi.azurewebsites.net/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          https://clients.config.office.net/user/v1.0/android/policies14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                            high
                                                                                                            https://entitlement.diagnostics.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                              high
                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                high
                                                                                                                https://substrate.office.com/search/api/v2/init14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                    high
                                                                                                                    https://storage.live.com/clientlogs/uploadlocation14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                      high
                                                                                                                      https://outlook.office365.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                        high
                                                                                                                        https://webshell.suite.office.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                          high
                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                            high
                                                                                                                            https://substrate.office.com/search/api/v1/SearchHistory14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                              high
                                                                                                                              https://management.azure.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                high
                                                                                                                                https://messaging.lifecycle.office.com/getcustommessage1614FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://clients.config.office.net/c2r/v1.0/InteractiveInstallation14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://login.windows.net/common/oauth2/authorize14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://graph.windows.net/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://api.powerbi.com/beta/myorg/imports14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://devnull.onenote.com14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://messaging.action.office.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ncus.pagecontentsync.14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://messaging.office.com/14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://augloop.office.com/v214FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing14FAC50B-DCF4-41CB-B655-19278342466F.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        No contacted IP infos
                                                                                                                                                        Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                        Analysis ID:651264
                                                                                                                                                        Start date and time: 23/06/202218:07:572022-06-23 18:07:57 +02:00
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 4m 26s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Sample file name:message_tracking_1655942871715.xlsx
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:17
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:CLEAN
                                                                                                                                                        Classification:clean0.winXLSX@1/1@0/0
                                                                                                                                                        EGA Information:Failed
                                                                                                                                                        HDC Information:Failed
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .xlsx
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.88.40, 52.109.12.22
                                                                                                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        No simulations
                                                                                                                                                        No context
                                                                                                                                                        No context
                                                                                                                                                        No context
                                                                                                                                                        No context
                                                                                                                                                        No context
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):149126
                                                                                                                                                        Entropy (8bit):5.356719938993684
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:JcQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvidkXx5ETLKz6e:QJQ9DQC+zcXwI
                                                                                                                                                        MD5:79C5AF0D95104907ACEDFD81720A7444
                                                                                                                                                        SHA1:4B3EB41EFC9EAB59A4933C83838EAE9DD095124B
                                                                                                                                                        SHA-256:F88916160CF4AD8FA9A9732E8345E795CEEF2A47B91CB109FE014F2D4DA1532C
                                                                                                                                                        SHA-512:A51A4D78AFE4987ADB7BF28F993892750237DBA9ABDCB147555AE99B34B6ACB91525DCEC087C742478EED103B04240D50F5CF4A3D3CB9517BFB54CAB6F55FBBF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-23T16:09:01">.. Build: 16.0.15420.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                        File type:Microsoft OOXML
                                                                                                                                                        Entropy (8bit):7.9596137165530765
                                                                                                                                                        TrID:
                                                                                                                                                        • ZIP compressed archive (8000/1) 100.00%
                                                                                                                                                        File name:message_tracking_1655942871715.xlsx
                                                                                                                                                        File size:89336
                                                                                                                                                        MD5:f58a136e486dfe359bbe2edca42fcd9b
                                                                                                                                                        SHA1:fd61fe4344e019499a9f6374bf8675f0204aa115
                                                                                                                                                        SHA256:596f05e887818b885e18ed3d5f3f46ed06d128c087aa2c294cffeecb9be212de
                                                                                                                                                        SHA512:9a8fe10095579ebe687c0d71f5be1b6859c7e7e14dd06adbc0c0b3658b1b1b6f867a1126f882156ca1bb4c071310b78c63520bf22433104a63bc8fc84a140638
                                                                                                                                                        SSDEEP:1536:E+q4i/JRYja0Y70G1g99qO4tHq50vCrjXkyNTcvs+mkX86THlFYFt4RehgJstjz0:E+BihRYjgz12KKmvCrbkylkMeF2Ft8e8
                                                                                                                                                        TLSH:3693F2BA938118D1D7F0B9BE47F88DC3375B3AB4C64B8A81DE0870FA21B5D115629ED1
                                                                                                                                                        File Content Preview:PK...........T................[Content_Types].xml.S.n.0.....*6.PU..C......\{.X.%....].8.R..q.cfgfW.d.q.ZCB.|..|.*.*h...},^.{Va.^K.<4l..f..b..+....>.. ....D."xB....tL..R-e..v4..*..>..h....Z...z........Q2S,...H.....v.`o"...U..R..C(2q..qa9S...&.......(.A...p
                                                                                                                                                        Icon Hash:74ecd0d2d6d6d0dc
                                                                                                                                                        No network behavior found
                                                                                                                                                        No statistics
                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:18:08:59
                                                                                                                                                        Start date:23/06/2022
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                        Imagebase:0x50000
                                                                                                                                                        File size:27110184 bytes
                                                                                                                                                        MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        No disassembly