Engine | Download Report | Detection | Info |
---|---|---|---|
|
malicious
Score: 84
|
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
|
|
|
malicious
Score: 100
|
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior
|
IP | Country | Detection |
---|---|---|
195.154.146.35 | France | |
51.210.242.234 | France | |
37.44.244.177 | Germany | |
Click to see the 19 hidden entries | ||
66.42.57.149 | United States | |
177.72.80.14 | Brazil | |
51.178.61.60 | France | |
168.197.250.14 | Argentina | |
72.167.40.83 | United States | |
78.47.204.80 | Germany | |
50.62.141.15 | United States | |
195.77.239.39 | Spain | |
207.148.81.119 | United States | |
54.38.242.185 | France | |
142.4.219.173 | Canada | |
185.148.169.10 | Germany | |
54.37.228.122 | France | |
45.79.33.48 | United States | |
191.252.103.16 | Brazil | |
85.214.67.203 | Germany | |
37.59.209.141 | France | |
78.46.73.125 | Germany | |
196.44.98.190 | Ghana |
Name | IP | Detection |
---|---|---|
thepilatesstudionj.com | 72.167.40.83 | |
alfaofarms.com | 50.62.141.15 |
Name | Detection |
---|---|
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/ | |
http://thepilatesstudionj.co | |
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/ | |
Click to see the 97 hidden entries | |
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/ | |
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split | |
https://staviancjs.com/wp-forum/QOm4n2/ | |
https://outlook.office.com/ | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing | |
https://168.197.250.14/563209-4053062332-1002 | |
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ | |
http://crl.micr | |
https://messaging.office.com/ | |
https://devnull.onenote.com | |
https://graph.windows.net/ | |
https://substrate.office.com/search/api/v1/SearchHistory | |
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= | |
https://storage.live.com/clientlogs/uploadlocation | |
http://pesterbdd.com/images/Pester.pngp | |
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json | |
https://entitlement.diagnostics.office.com | |
https://clients.config.office.net/user/v1.0/android/policies | |
https://45.79.33.48:8080/2 | |
https://outlook.office365.com/api/v1.0/me/Activities | |
https://o365auditrealtimeingestion.manage.office.com | |
https://dev.virtualearth.net/REST/v1/Routes/Driving | |
https://clients.config.office.net/user/v1.0/ios | |
https://wus2.contentsync. | |
https://45.79.33.48:8080/0 | |
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= | |
https://api.diagnosticssdf.office.com | |
https://45.79.33.48:8080/a | |
https://activity.windows.com | |
https://168.197.250.14/h | |
https://cortana.ai/api | |
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL | |
https://51.178.61.60/E | |
https://api.powerbi.com/v1.0/myorg/datasets | |
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q | |
https://wus2.pagecontentsync. | |
https://store.office.de/addinstemplate | |
https://skyapi.live.net/Activity/ | |
https://api.diagnostics.office.com | |
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= | |
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? | |
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= | |
https://augloop.office.com | |
https://onedrive.live.com/embed? | |
https://staging.cortana.ai | |
https://visio.uservoice.com/forums/368202-visio-on-devices | |
https://api.cortana.ai | |
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ | |
https://168.197.250.14/W | |
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz | |
http://pesterbdd.com/images/Pester.png | |
https://store.office.cn/addinstemplate | |
https://officeci.azurewebsites.net/api/ | |
https://tasks.office.com | |
https://res.getmicrosoftkey.com/api/redemptionevents | |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | |
https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3 | |
https://cr.office.com | |
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive | |
https://api.microsoftstream.com/api/ | |
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies | |
http://www.apache.org/licenses/LICENSE-2.0.html | |
https://api.aadrm.com/ | |
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy | |
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile | |
https://lookup.onenote.com/lookup/geolocation/v1 | |
https://rpsticket.partnerservices.getmicrosoftkey.com | |
https://45.79.33.48:8080/uDpHLeAeeItaVoryptography | |
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ | |
https://cdn.entity. | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr | |
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ | |
https://autodiscover-s.outlook.com/ | |
https://dynamic.t | |
https://shell.suite.office.com:1443 | |
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml | |
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002 | |
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios | |
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh | |
http://weather.service.msn.com/data.aspx | |
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ | |
https://ncus.contentsync. | |
https://dev.virtualearth.net/REST/v1/Routes/Transit | |
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json | |
https://45.79.33.48/ | |
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= | |
https://github.com/Pester/Pesterp | |
https://github.com/Pester/Pester | |
https://graph.windows.net | |
https://dev.virtualearth.net/REST/v1/Locations | |
https://api.addins.store.officeppe.com/addinstemplate | |
https://web.microsoftstream.com/video/ | |
https://api.powerbi.com/v1.0/myorg/groups | |
https://www.odwebp.svc.ms | |
http://crl.ver) | |
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech | |
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa |
Name | File Type | Hashes | Detection |
---|---|---|---|
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy) |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | # | |
C:\Users\user\Desktop\~$1711.doc |
data | # | |
C:\ProgramData\13791789.dll |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | # | |
Click to see the 23 hidden entries | |||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivljvnov.dnx.ps1 |
very short file (no magic) | # | |
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211122_190130_406.etl |
data | # | |
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log |
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators | # | |
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp |
ASCII text, with no line terminators | # | |
C:\Users\user\Documents\20211122\PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt |
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators | # | |
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC |
Little-endian UTF-16 Unicode text, with CR line terminators | # | |
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm |
data | # | |
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat |
ASCII text, with CRLF line terminators | # | |
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:09 2020, mtime=Mon Nov 22 18:01:14 2021, atime=Mon Nov 22 18:01:11 2021, length=135948, window=hide | # | |
C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP |
Composite Document File V2 Document, Cannot read section info | # | |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjtsltui.gs0.psm1 |
very short file (no magic) | # | |
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C4306DA8-3134-42DC-857A-E2C8FA5CD236}.tmp |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EE2F9D3-844A-448C-93FB-84314B295DC1}.tmp |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{521AB53C-1F2D-413C-8011-B893289A85E3}.tmp |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp |
Composite Document File V2 Document, Cannot read section info | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5EEF27A6.png |
PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced | # | |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\228B70BA-96BF-49A2-BAE9-6D7972869BA5 |
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators | # | |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm |
data | # | |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db |
Extensible storage engine DataBase, version 0x620, checksum 0x985cf3fb, page size 16384, DirtyShutdown, Windows version 10.0 | # | |
C:\ProgramData\Microsoft\Network\Downloader\edb.log |
MPEG-4 LOAS | # |