Analysis Report request_form_1611565093.xlsm

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: z:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: x:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: v:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: t:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: r:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: p:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: n:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: l:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: j:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: h:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: f:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: b:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: y:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: w:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: u:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: s:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: q:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: o:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: m:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: k:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: i:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: g:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: e:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: c:			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: a:			Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: 9ght3erd[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\otrgh\sdgvjk\fdcbn.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: japort.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: japort.com

Urls found in memory or binary data

Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.css
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.jpg
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es00
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.dsquery.dll
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/P
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/X
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowerG
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowers
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/h
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/ings
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/ingsLMEM8
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/lower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/p
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/x
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500266048.000001DEEECE6000.00000004.00000020.sdmp	String found in binary or memory: https://3.14.70.198/
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/6
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/H
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/P
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp, fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower~
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/ings
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/$
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower;
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerl
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerm32
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowern
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.office.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.entity.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cr.office.com
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://directory.services.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.local
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://tasks.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp

Binary or memory string: GetRawInputData

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 4872, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 5384, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 13_ Once You have Enable Editing, please click "
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 14 from the yellow bar above 15 16 17 18" WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Screenshot number: 8	Screenshot OCR: Enable Content O X A Share ::u':Sum " Zy JO Sort & Find & CL C ear FI ter Sc ect Editing ^ X

Found Excel 4.0 Macro with suspicious formulas

Source: request_form_1611565093.xlsm

Initial sample: CALL

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe			Jump to dropped file

Detected potential crypto function

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2AF0		1_2_00007FF7645C2AF0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1780		1_2_00007FF7645C1780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB780		1_2_00007FF7645BB780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB980		1_2_00007FF7645BB980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C0980		1_2_00007FF7645C0980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA980		1_2_00007FF7645CA980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E3560		1_2_00007FF7645E3560
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E4F70		1_2_00007FF7645E4F70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CBB70		1_2_00007FF7645CBB70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7350		1_2_00007FF7645B7350
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA730		1_2_00007FF7645BA730
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1330		1_2_00007FF7645C1330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2330		1_2_00007FF7645C2330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1C00		1_2_00007FF7645C1C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9C00		1_2_00007FF7645B9C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B8800		1_2_00007FF7645B8800
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B1000		1_2_00007FF7645B1000
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FE210		1_2_00007FF7645FE210
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDFC2		1_2_00007FF7645BDFC2
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764604B98		1_2_00007FF764604B98
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA080		1_2_00007FF7645BA080
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FF090		1_2_00007FF7645FF090
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B468D		1_2_00007FF7645B468D
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9460		1_2_00007FF7645B9460
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B5E40		1_2_00007FF7645B5E40
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB050		1_2_00007FF7645BB050
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FDE50		1_2_00007FF7645FDE50
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B124B		1_2_00007FF7645B124B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BAC30		1_2_00007FF7645BAC30
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C3710		1_2_00007FF7645C3710
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2F10		1_2_00007FF7645B2F10
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E92D0		1_2_00007FF7645E92D0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B32A0		1_2_00007FF7645B32A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA0A0		1_2_00007FF7645CA0A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B52B0		1_2_00007FF7645B52B0

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="4" rupBuild="9303"/><workbookPr filterPrivacy="1" defaultThemeVersion="124226"/><bookViews><workbookView xWindow="240" yWindow="105" windowWidth="14805" windowHeight="8010"/></bookViews><sheets><sheet name="DocuSign" sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="3" r:id="rId3"/></sheets><functionGroups builtInGroupCount="17"/><definedNames><definedName name="dontdoit" function="1" xlm="1" functionGroupId="9">-676986879</definedName><definedName name="okwell" function="1" xlm="1" functionGroupId="9">124715010</definedName><definedName name="plzno" function="1" xlm="1" functionGroupId="9">-709623808</definedName><definedName name="_xlnm.Auto_Open">'Doc1'!$AA$6</definedName></definedNames><calcPr calcId="122211"/></workbook>

Binary contains paths to development resources

Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp

Binary or memory string: FPicturesVideosCommunicationsInternetUsersLibrariesUserFilesDocumentsCompressedFolder@shell32.dll,-34829@shell32.dll,-34830@shell32.dll,-34831@shell32.dll,-34832@shell32.dll,-34824@shell32.dll,-34825@shell32.dll,-34826@shell32.dll,-34827@shell32.dll,-34820@shell32.dll,-34821@shell32.dll,-34822@shell32.dll,-34823OpenSearch@shell32.dll,-34817@shell32.dll,-34818@shell32.dll,-34819@shell32.dll,-34828@shell32.dll,-34837@shell32.dll,-34838@shell32.dll,-34836@shell32.dll,-34839@shell32.dll,-34840@shell32.dll,-34835AppJscriptJavascriptResLDAPFileExplorer.ZipSelectionIerssIehistoryExplorer.BurnSelectionExplorer.AssocProtocol.search-msExplorer.EraseDiscExplorer.CloseSessionExplorer.AssocActionId.CloseSessionExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.ZipSelectionExplorer.AssocActionId.EraseDisc.appref-ms.application.bas.asp.adeWMP11.AssocProtocol.MMS.app.adpwindowsmediacenterappVbscriptwindowsmediacenterwebwindowsmediacentersslStickyNotesrlogintn3270telnet.hta.hpj.isp.ins.grp.gadget.hme.hlp.crt.crds.fxp.csh.cpf.cnt.crd.cpl.maw.mav.mda.mcf.mas.mar.mau.mat.mag.maf.maq.mam.jse.its.mad.ksh.pcd.ops.plg.pl.msh2xml.msh2.mst.mshxml.msh.msc.msh1xml.msh1.mdt.mde.mdz.mdw.rbw.rb.rgu.rdp.pyo.pyc.plsc.pvw.ps2xml.ps2.py.psc2.prg.prf.provxml.printerexport.wsc.ws.xaml.wsh.vsmacros.vbp.webpnp.vsw.tsk.theme.vbe.vb.scr.scf.shs.shb.xip.xdp.xnk`

Classification label

Source: classification engine

Classification label: mal80.expl.evad.winXLSM@5/15@1/4

Creates files inside the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Creates mutexes

Source: C:\otrgh\sdgvjk\fdcbn.exe

Mutant created: \Sessions\1\BaseNamedObjects\DOBLRPWBUQFD

Creates temporary files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A6CD0287-F39E-46CD-979D-EA2876FB904D} - OProcSessId.dat

Jump to behavior

Reads ini files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\otrgh\sdgvjk\fdcbn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'			Jump to behavior
Source: C:\otrgh\sdgvjk\fdcbn.exe	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Document is a ZIP file with path names indicative of goodware

Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Checks if Microsoft Office is installed

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BD98E pushfq ; ret		1_2_00007FF7645BD992
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC349 pushfq ; ret		1_2_00007FF7645BC34A
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BED4B pushfq ; ret		1_2_00007FF7645BED4F
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2318 pushfq ; ret		1_2_00007FF7645B231C
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B452F pushfq ; ret		1_2_00007FF7645B4533
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3A07 pushfq ; ret		1_2_00007FF7645B3A0B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE607 pushfq ; ret		1_2_00007FF7645BE60B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B23E1 pushfq ; ret		1_2_00007FF7645B23E5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE1E1 pushfq ; ret		1_2_00007FF7645BE1E5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4FBB pushfq ; ret		1_2_00007FF7645B4FBF
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B21D0 pushfq ; ret		1_2_00007FF7645B21D4
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B71D4 pushfq ; ret		1_2_00007FF7645B71D5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3B97 pushfq ; ret		1_2_00007FF7645B3B9B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B219C pushfq ; ret		1_2_00007FF7645B21A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE47B pushfq ; ret		1_2_00007FF7645BE47F
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC68F pushfq ; ret		1_2_00007FF7645BC693
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B705F pushfq ; ret		1_2_00007FF7645B7063
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4267 pushfq ; ret		1_2_00007FF7645B426B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC44D pushfq ; ret		1_2_00007FF7645BC451
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7219 pushfq ; ret		1_2_00007FF7645B721D
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDA1E pushfq ; ret		1_2_00007FF7645BDA22
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B242F pushfq ; ret		1_2_00007FF7645B2433
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B20DE pushfq ; ret		1_2_00007FF7645B20E2
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B6EC1 pushfq ; ret		1_2_00007FF7645B6EC5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B70BB pushfq ; ret		1_2_00007FF7645B70BF
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3CD1 pushfq ; ret		1_2_00007FF7645B3CD5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3ACD pushfq ; ret		1_2_00007FF7645B3AD1
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDC9A pushfq ; ret		1_2_00007FF7645BDC9E
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4298 pushfq ; ret		1_2_00007FF7645B42A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B26B0 pushfq ; ret		1_2_00007FF7645B26B4

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\otrgh\sdgvjk\fdcbn.exe

Thread delayed: delay time: 180000

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\otrgh\sdgvjk\fdcbn.exe			Jump to dropped file

Found large amount of non-executed APIs

Source: C:\otrgh\sdgvjk\fdcbn.exe

API coverage: 8.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\otrgh\sdgvjk\fdcbn.exe TID: 5328

Thread sleep time: -180000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\otrgh\sdgvjk\fdcbn.exe

Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW0
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF764607818

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7645B8800 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,

1_2_00007FF7645B8800

Contains functionality to register its own exception handler

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764603204 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00007FF764603204
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00007FF764607818

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\otrgh\sdgvjk\fdcbn.exe

Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: InitialExpandWindows.HistoryVaultRestoreWindows.closewindowWindows.menubarWindows.selectModeWindows.invertselectionWindows.selectnoneWindows.selectallWindows.pastelinkWindows.pasteWindows.includeinlibraryWindows.burnWindows.emailWindows.newfolderrenamerenamepastelinkpastelinkpropertiespropertieslinklinkpastepastecopycopycutcutdeletedeletemswindowsvideomswindowsmusicmailtohttpshttpbingmaps.zpl.xvid.WPL.wmv.wma.wm.wdp.wav.TTS.TS.rwl.rw2.raw.raf.png.pef.pdf.orf.nrw.nef.mts.mpv2.mpa.mp4v.mp4.mp3.mrw.mov.mod.mkv.m4v.m4r.m4a.m3u.m2ts.m2t.kdc.jxr.jpeg.jpe.jfif.html.htm.gif.flac.erf.epub.dib.crw.cr2.bmp.avi.arw.amr.adts.adt.aac.3gpp.3gp.3g2shcond://v2#ControlPanelExistsshcond://v1#AreAppDefaultsRestrictedshcond://v1#IsIrDASupportedshcond://v1#IsMobilityCenterEnabledshcond://v1#IsParentalControlsAvailableshcond://v1#IsProximityProviderAvailableshcond://v1#COMConditionshcond://v2#IsRemoteDesktopshcond://v2#IsProjectionAvailableshcond://v1#IsAuxDisplayConnectedAndAutoWakeEnabledshcond://v1#IsMuiEnabledshcond://v1#IsGlassOnshcond://v1#IsConnectedToInternetshcond://v1#IsTouchAvailableshcond://v1#IsPenAvailableshcond://v1#IsTabletPCshcond://v1#IsServershcond://v1#SkuEqualsshcond://v1#IsOfflineFilesEnabledshcond://v1#IsBrightnessAvailableshcond://v1#IsPresentationSettingsEnabledshcond://v1#IsMobilePCshcond://v1#IsAuxDisplayConnectedshcond://v1#IsUserAdminshcond://v1#IsMachineNotOnDomainAndDomainIsAvailshcond://v1#IsMachineOnDomainshcond://v1#RegkeyExistsshcond://v1#RegvalExistsshcond://v1#RegvalEqualsRateChartOverlayWindowAutoplayHandlerChooserOperationStatusWindowMenuSiteBaseBarExplorerBrowserControlExplorerBrowserNavigationDateRangeControlBooleanCheckMarkControlIconListControlmsctls_netaddressSysDragImageThumbnailControlPropertyControlBaseShell Preview Extension Temporary ParentShell Preview Extension Host PreviewerShell Preview Extension Host Background MsgCalendarHostDropDownRatingsControlSHELLDLL_MVPEditControlViewControlClassTrackContextMenuClassSharePointViewUserEventWindowGroupButtonShellFileSearchControlATL Shell EmbeddingDivWindowMSGlobalFolderOptionsStubProgmanStubWindow32cpShowColorcpColorWOACnslFontPreviewWOACnslWinPreview\Sharepoint\Dropbox\Google Drive\Onedrive -\3D Objects\Music\Videos\Pictures\Pictures\Camera Roll\Documents\Downloads\DesktopParse Internet Dont Escape SpacesDon't Parse RelativePendingRedirectionSyncRootsUserSyncRoots
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: VerticalScrollBaranimationTileContentsSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInneranimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInneranimationProgressSrcidOperationTileeltProgressBareltInterruptPaneeltSummaryeltRegularTileHeadereltInterruptDoForAlleltInterruptButtonsContainereltInterruptDescriptioneltItemIconeltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtneltInterruptYesBtneltItemNameeltItemPropseltInterruptElevateBtneltInterruptDeleteBtneltInterruptDoForAllLabelidOperationInterruptidTileSubTextshell\shell32\operationstatusmgr.cppeltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAllidTileActionIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalIdTileIgnoreIdTileDecideForEachidItemTileIdTileKeepSourceidTileIconeltConflictInterruptDescriptioneltItemTileContainerKeepSourceTileIconSkipTileIconDecideForEachTileIconCustomCommandIconidConflictInterrupteltInterruptTileHeaderidCustomConflictInterrupteltTimeRemainingeltTile%ueltTileContentseltPauseButtonIdTileDefault%0.2fCHARTVIEWeltRateCharteltCancelButtoneltRegularTileeltScrolleltDetailseltItemsRemainingeltLocationseltConfirmationInterrupteltConflictInterrupteltDisplayModeBtneltDisplayModeBtnFocusHoldereltTileAreaeltProgressBarContainereltDividereltScrollBarFilleridTileHosteltFooterAreaprogmanEnthusiastModeWindows.SystemToast.ExplorerRICHEDIT50WlfItaliclfUnderlinelfStrikeOutlfCharSetSoftware\Microsoft\NotepadlfEscapementlfOrientationlfWeightiPointSizeLucida ConsolelfFaceNamelfOutPrecisionlfClipPrecisionlfQualitylfPitchAndFamily
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: Local\SM0:%d:%d:%hsShell_TrayWnd_p0hCLSID\Software\Classes\RtlDllShutdownInProgressEtwEventWriteEtwEventEnabledEtwEventUnregisterEtwEventRegisterntdll.dllWilStaging_02NtQuerySystemInformationSecurity-SPP-Reserved-TBLProductKeyTypeshell32-license-ShowProductNameOnDesktopSoftware\Microsoft\Windows NT\CurrentVersion\WindowsDisplayVersionBasebrdWldpCheckRetailConfiguration\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3BuildLabYOr
Source: fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: PROGMANDDEMLMom%c:\%sExplorerDMGFrameGetWorkingDirGetDescriptionProgmanProgmanGetIconsetupPmFrameSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsFoldersGroupsAppPropertiesBWWFrameccInsDDEBACKSCAPEDDEClientWndClassDDEClientStartUpddeClassInstallCA_DDECLASSMake Program Manager GroupMedia RecorderMediaRecorderSender#32770groups
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: ConfirmCabinetIDExploreFolderShellFileOpenFindFileViewFolderCreateGroupReplaceItemDeleteItemFindFolderReloadAddItemShowGroupDeleteGroupExitProgman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: CountryL1WUSF123r5.inidriverRestartCommandsSoftware\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup/LOADSAVEDWINDOWSNonRudeHWNDDesktopWindowAutoColorizationProgram ManagerpszDesktopTitleWLocal\Microsoft-Windows-DesktopBackground
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7646038CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF7646038CC