Windows Analysis Report
Invoice#0036473 .xlsx

Overview

General Information

Sample Name: Invoice#0036473 .xlsx
Analysis ID: 655570
MD5: c93e6dcf32928e1da7346b6ca3a1dc85
SHA1: b90d66412b4d6669a175fd30e32bbe44428bd245
SHA256: 3ffe69c9e2e2f8a350f7d2ff6e64acf8cffbf390489807b81cf8e4eec87d4047
Infos:

Detection

HTMLPhisher
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Antivirus detection for URL or domain
Yara detected HtmlPhish7
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTML body contains low number of good links
Potential document exploit detected (performs HTTP gets)
Suspicious form URL found
IP address seen in connection with other malware
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html SlashNext: Label: Credential Stealing type: Phishing & Social Engineering
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/images/office3651.png Avira URL Cloud: Label: phishing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/css/hover.css Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: eyecandylashcompany.com Virustotal: Detection: 6% Perma Link
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html Virustotal: Detection: 20% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\index[1].htm Avira: detection malicious, Label: HTML/Infected.WebPage.Gen2

Phishing
barindex
Yara detected HtmlPhish10
Source: Yara match File source: 81384.0.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\index[1].htm, type: DROPPED
Yara detected HtmlPhish7
Source: Yara match File source: 81384.0.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\index[1].htm, type: DROPPED
No HTML title found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: HTML title missing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: HTML title missing
HTML body contains low number of good links
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Number of links: 0
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Number of links: 0
Suspicious form URL found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Form action: azn.php
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Form action: azn.php
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="author".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="author".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="copyright".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.217.16.161:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.150.12:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49884 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49816 -> 142.251.36.205:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: clients2.google.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49816 -> 142.251.36.205:443
Source: excel.exe Memory has grown: Private usage: 1MB later: 75MB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.17.24.14 104.17.24.14
Source: Joe Sandbox View IP Address: 104.18.10.207 104.18.10.207
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 08:13:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffDate: Fri, 01 Jul 2022 08:13:25 GMTServer: fifeCache-Control: privateX-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffDate: Fri, 01 Jul 2022 08:13:28 GMTServer: fifeCache-Control: privateX-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 08:13:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 08:14:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 08:14:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 08:14:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: splwow64.exe, 00000003.00000003.291174693.0000000002A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: splwow64.exe, 00000003.00000002.653858058.0000000002AA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsof
Source: splwow64.exe, 00000003.00000003.304856583.0000000003684000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.285935044.000000000367D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.285984805.0000000003684000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.305191833.0000000003689000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.304794326.000000000367D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.286318676.0000000003689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.
Source: splwow64.exe, 00000003.00000003.304856583.0000000003684000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.285935044.000000000367D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.285984805.0000000003684000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.305191833.0000000003689000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.304794326.000000000367D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.286318676.0000000003689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microz
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: index[1].htm.1.dr String found in binary or memory: http://www.gmail.com
Source: splwow64.exe, 00000003.00000003.289726764.000000000376E000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.289581313.0000000003767000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000003.00000003.289693223.000000000376D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.w3.oW
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.19.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://ajax.googleapis.com
Source: index[1].htm.1.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.aadrm.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.aadrm.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.cortana.ai
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.office.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.onedrive.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://apis.google.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://augloop.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://augloop.office.com/v2
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cdn.entity.
Source: index[1].htm.1.dr String found in binary or memory: https://cdn.iconscout.com/icon/free/png-512/microsoft-sharepoint-3-599372.png
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: index[1].htm.1.dr String found in binary or memory: https://cdn.pixabay.com/photo/2018/03/10/12/00/paper-3213924_1280.jpg
Source: index[1].htm.1.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json.19.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: index[1].htm.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: index[1].htm.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: index[1].htm.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://config.edge.skype.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://content-autofill.googleapis.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cortana.ai
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cortana.ai/api
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://cr.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dev.cortana.ai
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://devnull.onenote.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://directory.services.
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, 7094d46a-0046-475b-bb34-1d7293eca4b5.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://dns.google
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: History Provider Cache.19.dr String found in binary or memory: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html2
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://fonts.googleapis.com
Source: index[1].htm.1.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://fonts.gstatic.com
Source: craw_window.js.19.dr, craw_background.js.19.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://graph.windows.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://graph.windows.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://invites.office.com/
Source: index[1].htm.1.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://lh3.googleusercontent.com
Source: index[1].htm.1.dr String found in binary or memory: https://lh3.googleusercontent.com/proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvN
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://lifecycle.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://login.windows.local
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://management.azure.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://management.azure.com/
Source: index[1].htm.1.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: index[1].htm.1.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.action.office.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://messaging.office.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ncus.contentsync.
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://officeapps.live.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://ogs.google.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://onedrive.live.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://osi.office.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office365.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office365.com/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: craw_window.js.19.dr, manifest.json.19.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://play.google.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://powerlift.acompli.net
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr String found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://redirector.gvt1.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://roaming.edog.
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: craw_window.js.19.dr, manifest.json.19.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://settings.outlook.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://ssl.gstatic.com
Source: index[1].htm.1.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://staging.cortana.ai
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://tasks.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://webshell.suite.office.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://wus2.contentsync.
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: craw_window.js.19.dr, craw_background.js.19.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://www.google.com
Source: manifest.json.19.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.19.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.19.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.19.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.19.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.19.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_window.js.19.dr, craw_background.js.19.dr, 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 75a425df-9ddd-4041-bdca-f8bc5f54de59.tmp.21.dr, ffcafbd3-fd32-4f6a-bfa5-410720ecafa7.tmp.21.dr String found in binary or memory: https://www.gstatic.com
Source: 7411BFF8-D245-4AA5-9494-FF51EE73FEE8.1.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/index.html HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /bootstrap/4.0.0/css/bootstrap.min.css HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/css/hover.css HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /icon/free/png-512/microsoft-sharepoint-3-599372.png HTTP/1.1Host: cdn.iconscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1Host: cdn.pixabay.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvNZjuUXh3c1WhNOGX5_Cg18Wmltm3vvna-uZDqOkUISXU4XOYsUyt-4962tq2u0WiI358gef4ewWcVp0PA6YiTnICV2Cg7wLzdb0DlXw HTTP/1.1Host: lh3.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvNZjuUXh3c1WhNOGX5_Cg18Wmltm3vvna-uZDqOkUISXU4XOYsUyt-4962tq2u0WiI358gef4ewWcVp0PA6YiTnICV2Cg7wLzdb0DlXw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: lh3.googleusercontent.com
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: cdn.pixabay.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/index.html HTTP/1.1Accept: */*X-IDCRL_ACCEPTED: tUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office)Accept-Encoding: gzip, deflateHost: eyecandylashcompany.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: cdn.pixabay.comIf-Modified-Since: Mon, 02 Aug 2021 02:09:27 GMTIf-None-Match: "bf509e7ae96121dde19a4493fd39f693"Cookie: __cf_bm=PwS.a22gQ7y32IRO8nhJGkYNTtvZD.eBfEnxdVnJCus-1656663209-0-Ackl1C0nXbvyB6LmAkFGjtW9L4OmQCWNfBoQ0X0gVehF7G8/XbuKLYZ2wETtvlM59FjZOs5PJYefwKBhIhIIpWY=
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.comIf-Modified-Since: Sat, 18 Jan 2020 17:50:20 GMT
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: cdn.pixabay.comIf-Modified-Since: Mon, 02 Aug 2021 02:09:27 GMTIf-None-Match: "bf509e7ae96121dde19a4493fd39f693"Cookie: __cf_bm=PwS.a22gQ7y32IRO8nhJGkYNTtvZD.eBfEnxdVnJCus-1656663209-0-Ackl1C0nXbvyB6LmAkFGjtW9L4OmQCWNfBoQ0X0gVehF7G8/XbuKLYZ2wETtvlM59FjZOs5PJYefwKBhIhIIpWY=
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.comIf-Modified-Since: Sat, 18 Jan 2020 17:50:20 GMT
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: unknown HTTPS traffic detected: 172.217.16.161:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.150.12:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.4:49884 version: TLS 1.2
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 9B7EEB3A.tmp.1.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF5413B9557D54C726.TMP.1.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,13884780355783072861,325699125953972634,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,16844756102088746549,18276088861922986992,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1932 /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,13884780355783072861,325699125953972634,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,16844756102088746549,18276088861922986992,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1932 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{C44493E4-3E10-4C38-882B-0AB87BB40BDB} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal84.phis.expl.winXLSX@36/108@18/13
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Invoice#0036473 .xlsx Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: 9B7EEB3A.tmp.1.dr Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\splwow64.exe Window / User API: threadDelayed 1248 Jump to behavior
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 655570 Sample: Invoice#0036473 .xlsx Startdate: 01/07/2022 Architecture: WINDOWS Score: 84 25 eyecandylashcompany.com 2->25 27 lh3.googleusercontent.com 2->27 29 3 other IPs or domains 2->29 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 Antivirus detection for dropped file 2->47 49 3 other signatures 2->49 8 EXCEL.EXE 28 36 2->8         started        12 chrome.exe 13 206 2->12         started        signatures3 process4 dnsIp5 37 eyecandylashcompany.com 8->37 23 C:\Users\user\AppData\Local\...\index[1].htm, HTML 8->23 dropped 14 chrome.exe 7 8->14         started        16 splwow64.exe 8->16         started        39 192.168.2.1 unknown unknown 12->39 41 239.255.255.250 unknown Reserved 12->41 18 chrome.exe 25 12->18         started        file6 process7 dnsIp8 21 chrome.exe 14->21         started        31 eyecandylashcompany.com 69.49.244.155, 443, 49817, 49822 UNIFIEDLAYER-AS-1US United States 18->31 33 accounts.google.com 142.251.36.205, 443, 49816 GOOGLEUS United States 18->33 35 14 other IPs or domains 18->35 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.17.24.14
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false
104.18.10.207
 stackpath.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
142.251.36.205
 accounts.google.com United States
15169 GOOGLEUS false
142.251.36.238
 clients.l.google.com United States
15169 GOOGLEUS false
142.251.36.227
 gstaticadssl.l.google.com United States
15169 GOOGLEUS false
104.18.11.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.18.29.243
 cdn.iconscout.com United States
13335 CLOUDFLARENETUS false
172.64.150.12
 cdn.pixabay.com United States
13335 CLOUDFLARENETUS false
69.49.244.155
 eyecandylashcompany.com United States
46606 UNIFIEDLAYER-AS-1US true
172.217.16.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
eyecandylashcompany.com 69.49.244.155 true
gstaticadssl.l.google.com 142.251.36.227 true
stackpath.bootstrapcdn.com 104.18.10.207 true
accounts.google.com 142.251.36.205 true
cdnjs.cloudflare.com 104.17.24.14 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
clients.l.google.com 142.251.36.238 true
cdn.iconscout.com 104.18.29.243 true
cdn.pixabay.com 172.64.150.12 true
googlehosted.l.googleusercontent.com 172.217.16.161 true
clients2.google.com unknown unknown
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
kit.fontawesome.com unknown unknown
lh3.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html true
  • 20%, Virustotal, Browse
  • SlashNext: Credential Stealing type: Phishing & Social Engineering
 unknown
https://cdn.pixabay.com/photo/2018/03/10/12/00/paper-3213924_1280.jpg false
    		high
    https://eyecandylashcompany.com/payment/frontend_paper_lantern/images/office3651.png true
    • Avira URL Cloud: phishing
    		 unknown
    https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js false
      		high
      https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js false
        		high
        https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
          		high
          https://eyecandylashcompany.com/payment/frontend_paper_lantern/css/hover.css true
          • Avira URL Cloud: phishing
          		 unknown