Engine | Download Report | Detection | Info |
---|---|---|---|
|
malicious
Score: 80
|
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
|
|
|
malicious
Score: 88
|
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior
|
IP | Country | Detection |
---|---|---|
157.230.250.107 | United States |
Name | Detection |
---|---|
https://ncus.contentsync. | |
https://login.windows.net/common/oauth2/authorizea | |
https://devnull.onenote.comMBI_SSL_SHORT | |
Click to see the 97 hidden entries | |
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur | |
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml | |
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios | |
https://substrate.office.comP | |
http://weather.service.msn.com/data.aspx | |
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebooke | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingMBI_SSL_SHORTssl. | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82 | |
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci. | |
https://of.230.250.107:8080/ | |
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json | |
https://augloop.office.com/v2)V | |
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory. | |
https://api.onedrive.comMBI | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf | |
https://graph.windows.net | |
https://api.addins.store.officeppe.com/addinstemplate | |
https://web.microsoftstream.com/video/ | |
https://api.powerbi.com/v1.0/myorg/groups | |
https://substrate.office.com5S | |
https://www.odwebp.svc.ms | |
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer | |
http://157.230.250.107:8080/mfkrmotherfuckeru | |
https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau | |
https://management.azure.comfR | |
https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/ | |
https://login.windows.net/common/oauth2/authorizeS | |
https://login.windows.net/common/oauth2/authorizeR | |
https://graph.windows.net/https://graph.windows.net | |
https://clients.config.office.net/user/v1.0/android/policies | |
https://login.windows.net/common/oauth2/authorizeP | |
https://outlook.office.com$ | |
https://login.windows.net/common/oauth2/authorize_ | |
https://outlook.office365.com/api/v1.0/me/Activities | |
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech | |
https://o365auditrealtimeingestion.manage.office.com | |
https://login.windows.net/common/oauth2/authorizeY | |
https://login.windows.net/common/oauth2/authorizeX | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivep | |
https://login.windows.net/common/oauth2/authorizef | |
https://clients.config.office.net/user/v1.0/ios | |
https://login.windows.net/common/oauth2/authorizee | |
https://login.windows.net/common/oauth2/authorized | |
https://wus2.contentsync. | |
https://login.windows.net/common/oauth2/authorizec | |
https://login.windows.net/common/oauth2/authorizeb | |
https://lookup.onenote.com/lookup/geolocation/v1 | |
http://157.230.250mObjec | |
https://lookup.onenote.com/lookup/geolocation/v1Q | |
http://157.230.250.10 | |
https://outlook.office365.com/autodiscover/autodiscover.jsont | |
https://api.aadrm.com/ | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl. | |
https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em | |
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy | |
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile | |
http://schemas.open | |
https://www.odwebp.svc.msomP | |
https://outlook.office.comUP | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswh | |
https://rpsticket.partnerservices.getmicrosoftkey.com | |
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ | |
https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize | |
https://cdn.entity. | |
https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau | |
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr | |
https://o365auditrealtimeingestion.manage.office.comBearer | |
https://autodiscover-s.outlook.com/ | |
https://shell.suite.office.com:1443 | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9 | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoreh | |
https://substrate.office.com6Q | |
https://api.powerbi.com/v1.0/myorg/groupsBearer | |
https://outlook.office365.com/B | |
https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT | |
https://store.office.cn/addinstemplate | |
https://login.windows.net/common/oauth2/authorize$ | |
https://login.windows.net/common/oauth2/authorize# | |
https://officeci.azurewebsites.net/api/ | |
https://tasks.office.com | |
https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf | |
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer | |
https://res.getmicrosoftkey.com/api/redemptionevents | |
https://onedrive.live.com/embed?ites | |
https://sr.outlook.office.net/ws/speech/recognize/assistaF | |
http://weather.service.msn.com/data.aspxSSExcelCShttps://excelcs. | |
https://graph.ppe.windows.net/dW | |
https://o365auditrealtimeingestion.manage.office.comU | |
https://cr.office.com | |
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sassw | |
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive | |
https://api.microsoftstream.com/api/ | |
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp | |
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies | |
https://api.powerbi.com/v1.0/myorg/groupsD | |
https://login.windows.net/common/oauth2/authorizesvS |
Name | File Type | Hashes | Detection |
---|---|---|---|
C:\ProgramData\LZbir.rtf |
HTML document, ASCII text, with very long lines, with CRLF line terminators | # | |
C:\Users\user\Desktop\3762.xlsm (copy) |
Microsoft Excel 2007+ | # | |
C:\Users\user\Desktop\~$3762.xlsm |
data | # | |
Click to see the 5 hidden entries | |||
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E1DCC09-05B4-4691-AA45-316DEEA02104 |
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D0FA441F.png |
PNG image data, 960 x 540, 8-bit/color RGBA, non-interlaced | # | |
C:\Users\user\Desktop\9BB50000 |
Microsoft Excel 2007+ | # | |
C:\Users\user\Desktop\9BB50000:Zone.Identifier |
ASCII text, with CRLF line terminators | # | |
\Device\ConDrv |
ASCII text, with CRLF, CR line terminators | # |