Analysis Report sample20210111-01.xlsm

Overview

General Information

Sample Name: sample20210111-01.xlsm
Analysis ID: 338158
MD5: fa5350d4304c4c2ceafa435244b5a5fc
SHA1: fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256: 0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
Tags: Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 16.2.regsvr32.exe.b80000.3.unpack Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}
Multi AV Scanner detection for submitted file
Source: sample20210111-01.xlsm Virustotal: Detection: 26% Perma Link
Source: sample20210111-01.xlsm ReversingLabs: Detection: 32%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\xnaitann.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dunjzsby.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 74.220.219.210:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.171.244.207:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.41.153:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49865 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\mkmanoo.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: u8wa3gh[1].zip.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 1MB later: 77MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bulksms.interweblimited.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49775 -> 80.86.91.27:3308
Source: global traffic TCP traffic: 192.168.2.4:49776 -> 5.100.228.233:3389
Source: global traffic TCP traffic: 192.168.2.4:49777 -> 46.105.131.65:1512
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox View IP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox View IP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox View IP Address: 77.220.64.37 77.220.64.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SENTIANL SENTIANL
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BB39F9 InternetReadFile, 16_2_00BB39F9
Source: unknown DNS traffic detected: queries for: bulksms.interweblimited.com
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000010.00000003.888660438.0000000000845000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.811700017.000000000086D000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.16.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?95a542b1dd52e
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/p
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.938801902.00000000031AE000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/(
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/0
Source: regsvr32.exe, 00000012.00000003.980223979.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/6
Source: regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/8
Source: regsvr32.exe, 00000012.00000003.954288057.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/;
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/ES
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/H
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/P
Source: regsvr32.exe, 00000012.00000003.966072159.00000000031A7000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/h
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/h:
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/la
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/m
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/oft
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/p
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/soft
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://46.105.131.65:1512/x
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://5..105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233/w
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.888613064.00000000008F2000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000012.00000003.972870710.00000000031A3000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/0
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/8
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/D
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/ES
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/H
Source: regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/N
Source: regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/P
Source: regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/X
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp String found in binary or memory: https://5.100.228.233:3389/Z
Source: regsvr32.exe, 00000012.00000003.930528102.00000000031AE000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/h
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/la
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/ll
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/lln
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/oft
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/r
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/soft
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://5.100.228.233:3389/x
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp String found in binary or memory: https://77.105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.928596818.00000000031A7000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/(
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/.
Source: regsvr32.exe, 00000012.00000003.962535896.00000000031A5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/.(
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/.:
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/.W
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/00.228.233/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/105.131.65/
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmp String found in binary or memory: https://77.220.64.37/105.131.65/pe
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/3
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/3321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp String found in binary or memory: https://77.220.64.37/4
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmp String found in binary or memory: https://77.220.64.37/5
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/53321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/;
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/?
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp String found in binary or memory: https://77.220.64.37/B
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/F
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/H
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/O
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/S
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/W
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/X
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/b
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/c
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/c=
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/cW
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/cb
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/e
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/l
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/nd-point:
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/nd-point:J
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/si
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/si(
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/si3
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://77.220.64.37/si=
Source: regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmp String found in binary or memory: https://77.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000002.992736371.0000000003185000.00000004.00000020.sdmp String found in binary or memory: https://80.220.64.37/
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27/A
Source: regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27/s
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27/~
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/(
Source: regsvr32.exe, 00000012.00000003.962590797.000000000317E000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/-
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/.dll
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308//
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308//x
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/0
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/220.64.37
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/3
Source: regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/8
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/99f5f57b9aM
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/H
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/P
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/anced
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/crosoft
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/h
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/h1
Source: regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/p
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/r
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/rX
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/raphy
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/rh
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp String found in binary or memory: https://80.86.91.27:3308/x
Source: regsvr32.exe, 00000010.00000003.888569929.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp String found in binary or memory: https://80100.228.233:3389/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.office.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.onedrive.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://augloop.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: mkmanoo.dll.0.dr String found in binary or memory: https://bulksms.interweblimited.com
Source: mkmanoo.dll.0.dr String found in binary or memory: https://bulksms.interweblimited.com/svg/404.svg);
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cdn.entity.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cortana.ai/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://cr.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://directory.services.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: mkmanoo.dll.0.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://graph.windows.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://graph.windows.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://login.windows.local
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://management.azure.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://management.azure.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://messaging.office.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://officeapps.live.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://onedrive.live.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://outlook.office.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://settings.outlook.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://tasks.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: regsvr32.exe, 00000010.00000003.888660438.0000000000845000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown HTTPS traffic detected: 74.220.219.210:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.171.244.207:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.41.153:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49865 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojan
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B851A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 16_2_00B851A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FC51A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 18_2_02FC51A7

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: VBA code instrumentation OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab") Name: pagesREviewsd
Found Excel 4.0 Macro with suspicious formulas
Source: sample20210111-01.xlsm Initial sample: CALL
Source: sample20210111-01.xlsm Initial sample: CALL
Source: sample20210111-01.xlsm Initial sample: CALL
Source: sample20210111-01.xlsm Initial sample: CALL
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B922A0 NtDelayExecution, 16_2_00B922A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BABE30 NtClose, 16_2_00BABE30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD22A0 NtDelayExecution, 18_2_02FD22A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FEBE30 NtClose, 18_2_02FEBE30
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B86AD0 16_2_00B86AD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B967C8 16_2_00B967C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA5CB0 16_2_00BA5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9E0A0 16_2_00B9E0A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BADCA0 16_2_00BADCA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA4CA0 16_2_00BA4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA50A0 16_2_00BA50A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B998DA 16_2_00B998DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B8ACD0 16_2_00B8ACD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9A0D0 16_2_00B9A0D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B988C0 16_2_00B988C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B98CC0 16_2_00B98CC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9D030 16_2_00B9D030
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA1020 16_2_00BA1020
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B82C45 16_2_00B82C45
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B8F9A0 16_2_00B8F9A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9D980 16_2_00B9D980
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BAD180 16_2_00BAD180
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA89F0 16_2_00BA89F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA71F0 16_2_00BA71F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9FDD0 16_2_00B9FDD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B81570 16_2_00B81570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B97564 16_2_00B97564
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B98AB0 16_2_00B98AB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA26B0 16_2_00BA26B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA1EB0 16_2_00BA1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9AE80 16_2_00B9AE80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9B6F0 16_2_00B9B6F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B98EF0 16_2_00B98EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA62F0 16_2_00BA62F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9F6E0 16_2_00B9F6E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B996D0 16_2_00B996D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA3EC0 16_2_00BA3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BAFA10 16_2_00BAFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA0220 16_2_00BA0220
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BAD620 16_2_00BAD620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B8CA10 16_2_00B8CA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BAFA10 16_2_00BAFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B89E70 16_2_00B89E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B99E70 16_2_00B99E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9A660 16_2_00B9A660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA7660 16_2_00BA7660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA2E60 16_2_00BA2E60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA1240 16_2_00BA1240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9E3F0 16_2_00B9E3F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B983C0 16_2_00B983C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B97FC0 16_2_00B97FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA7FC0 16_2_00BA7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA1730 16_2_00BA1730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA9B10 16_2_00BA9B10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00BA3B00 16_2_00BA3B00
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B95B60 16_2_00B95B60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B9BF50 16_2_00B9BF50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FC6AD0 18_2_02FC6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD67C8 18_2_02FD67C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDB6F0 18_2_02FDB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD8EF0 18_2_02FD8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE62F0 18_2_02FE62F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE52E6 18_2_02FE52E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDF6E0 18_2_02FDF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD96D0 18_2_02FD96D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FEFA10 18_2_02FEFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE3EC0 18_2_02FE3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD8AB0 18_2_02FD8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE26B0 18_2_02FE26B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE1EB0 18_2_02FE1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDAE80 18_2_02FDAE80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FC9E70 18_2_02FC9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD9E70 18_2_02FD9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDA660 18_2_02FDA660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE7660 18_2_02FE7660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE2E60 18_2_02FE2E60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE1240 18_2_02FE1240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE0220 18_2_02FE0220
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FED620 18_2_02FED620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FCCA10 18_2_02FCCA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FEFA10 18_2_02FEFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDE3F0 18_2_02FDE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD83C0 18_2_02FD83C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD7FC0 18_2_02FD7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE7FC0 18_2_02FE7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD5B60 18_2_02FD5B60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDBF50 18_2_02FDBF50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE1730 18_2_02FE1730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE9B10 18_2_02FE9B10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE3B00 18_2_02FE3B00
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD98DA 18_2_02FD98DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FCACD0 18_2_02FCACD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDA0D0 18_2_02FDA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD88C0 18_2_02FD88C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD8CC0 18_2_02FD8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE5CB0 18_2_02FE5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDE0A0 18_2_02FDE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FEDCA0 18_2_02FEDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE4CA0 18_2_02FE4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FC2C45 18_2_02FC2C45
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDD030 18_2_02FDD030
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE1020 18_2_02FE1020
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE89F0 18_2_02FE89F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FE71F0 18_2_02FE71F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDFDD0 18_2_02FDFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FCF9A0 18_2_02FCF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDC590 18_2_02FDC590
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FDD980 18_2_02FDD980
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FED180 18_2_02FED180
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FC1570 18_2_02FC1570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD7564 18_2_02FD7564
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: sample20210111-01.xlsm OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation OLE, VBA macro: Module Sheet1, Function view_1_a_Layout Name: view_1_a_Layout
Document contains embedded VBA macros
Source: sample20210111-01.xlsm OLE indicator, VBA macros: true
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mkmanoo.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal100.bank.expl.evad.winXLSM@9/19@3/7
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{A1C10B6F-1451-4F4E-B798-25D5A2E05EB3} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: sample20210111-01.xlsm Virustotal: Detection: 26%
Source: sample20210111-01.xlsm ReversingLabs: Detection: 32%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.
Source: unknown Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll.
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll.
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll. Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll. Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll. Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: sample20210111-01.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: sample20210111-01.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: sample20210111-01.xlsm Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc, 16_2_10002140
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000400A push esi; retf 16_2_1000401D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10010810 pushfd ; retf 16_2_1001084E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000D856 push ebp; retf 16_2_1000D85E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000E8F3 pushad ; iretd 16_2_1000E8F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10002140 push ecx; ret 16_2_100021B6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1001CD9B push esp; retf 16_2_1001CDB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000C265 push 588A19FDh; iretd 16_2_1000C278
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10020A73 push edx; iretd 16_2_10020A9C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000FEBF push eax; iretd 16_2_1000FEC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000FEFA push 00000000h; iretd 16_2_1000FF10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10023EFF push eax; iretd 16_2_10023F64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000C304 push 588A1BCDh; iretd 16_2_1000C314
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10010307 push esp; retf 16_2_10010308
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000CF15 push 0000002Dh; iretd 16_2_1000CF1C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1001DB23 push eax; iretd 16_2_1001DB34
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10020B27 push eax; iretd 16_2_10020B28
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_1000DFC7 pushad ; iretd 16_2_1000DFC8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10023FEB push edx; ret 16_2_10024001
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_100107FB pushfd ; retf 16_2_1001084E

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 16_2_00B851A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 18_2_02FC51A7
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -384000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -664000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -700000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -315000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -648000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -414000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -684000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -356000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -912000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -831000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -610000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -402000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -241000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -242000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -282000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -249000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -157000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -145000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -544000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -323000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -381000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -158000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -297000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -592000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -142000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -620000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -350000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -644000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -716000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -308000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -327000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -173000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -438000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -299000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -174000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -279000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -680000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -302000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -330000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -156000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -676000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -396000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -357000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -352000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -570000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -576000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -620000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -351000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -625000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -536000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -126000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -280000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -306000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -259000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -336000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -248000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -501000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -429000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -318000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -124000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -139000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -346000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -165000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -320000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -354000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -308000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -172000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -340000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -298000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -247000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -294000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -293000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -274000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -516000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -153000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -295000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -342000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -266000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -284000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -272000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -243000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -324000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -283000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -282000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -137000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -316000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -352000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -333000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -336000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -396000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -292000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -343000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -172000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -126000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -329000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -308000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -166000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -873000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -131000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -636000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -152000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -268000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -288000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -286000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -335000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -276000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -176000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -319000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -310000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -426000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -294000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -324000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -342000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -167000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -316000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -352000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -161000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -285000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -354000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -317000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -342000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -149000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -357000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -519000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -157000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -274000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -282000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -135000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -290000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -165000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -241000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -301000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -316000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -256000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -592000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -136000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -169000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -275000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -179000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -251000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -441000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -174000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -288000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -153000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -287000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -151000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -256000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -127000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -349000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -124000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -141000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -356000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124 Thread sleep time: -331000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B93930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 16_2_00B93930
Source: regsvr32.exe, 00000010.00000002.982166126.0000000000859000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW(
Source: regsvr32.exe, 00000012.00000002.992709118.000000000314A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWH

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc, 16_2_10002140
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B97A60 RtlAddVectoredExceptionHandler, 16_2_00B97A60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 18_2_02FD7A60 RtlAddVectoredExceptionHandler, 18_2_02FD7A60

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 80.86.91.27 236 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 5.100.228.233 61 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 46.105.131.65 232 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 77.220.64.37 187 Jump to behavior
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 16_2_00B92980 GetUserNameW, 16_2_00B92980
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338158 Sample: sample20210111-01.xlsm Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Document exploit detected (drops PE files) 2->45 47 7 other signatures 2->47 6 EXCEL.EXE 175 80 2->6         started        process3 dnsIp4 35 osmosisecuador.com 192.185.41.153, 443, 49841 UNIFIEDLAYER-AS-1US United States 6->35 37 bulksms.interweblimited.com 74.220.219.210, 443, 49746 UNIFIEDLAYER-AS-1US United States 6->37 39 sistacweb.com 184.171.244.207, 443, 49772 DIMENOCUS United States 6->39 21 C:\Users\user\AppData\Local\...\xnaitann.dll, PE32 6->21 dropped 23 C:\Users\user\AppData\Local\...\dunjzsby.dll, PE32 6->23 dropped 25 C:\Users\user\AppData\...\u8wa3gh[1].zip, PE32 6->25 dropped 27 3 other malicious files 6->27 dropped 49 Document exploit detected (creates forbidden files) 6->49 51 Document exploit detected (process start blacklist hit) 6->51 53 Document exploit detected (UrlDownloadToFile) 6->53 11 regsvr32.exe 12 6->11         started        14 regsvr32.exe 6->14         started        16 regsvr32.exe 12 6->16         started        19 splwow64.exe 6->19         started        file5 signatures6 process7 dnsIp8 55 System process connects to network (likely due to code injection or exploit) 11->55 57 Detected Dridex e-Banking trojan 14->57 29 5.100.228.233, 3389, 49776, 49780 SENTIANL Netherlands 16->29 31 46.105.131.65, 1512, 49777, 49781 OVHFR France 16->31 33 2 other IPs or domains 16->33 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.41.153
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
5.100.228.233
 unknown Netherlands
8315 SENTIANL true
80.86.91.27
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
46.105.131.65
 unknown France
16276 OVHFR true
74.220.219.210
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
184.171.244.207
 unknown United States
33182 DIMENOCUS false
77.220.64.37
 unknown Italy
44160 INTERNETONEInternetServicesProviderIT true

Contacted Domains

Name IP Active
osmosisecuador.com 192.185.41.153 true
bulksms.interweblimited.com 74.220.219.210 true
sistacweb.com 184.171.244.207 true