Analysis Report 9659e9a8_by_Libranalysis.xls

Overview

General Information

Sample Name:	9659e9a8_by_Libranalysis.xls
Analysis ID:	412182
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Tags:	SilentBuilder
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Allocates memory in foreign processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office process drops PE file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Microsoft Office Product Spawning Windows Shell

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Machine Learning detection for dropped file

Source: C:\Users\user\ritofm.cvm	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: ue[1].htm.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: signifysystem.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.office.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cr.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://directory.services.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.local
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://tasks.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above RunDLL X 12 13_ Once You have Enable Editing, pIe'
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above O ' WHY I CANNOT OPEN THIS DOCUMENT ? W You are using
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 9659e9a8_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A	1_2_0105822A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050	1_2_01057050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D	1_2_0105538D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010587CD	1_2_010587CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053000	1_2_01053000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054910	1_2_01054910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01055223	1_2_01055223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057A3B	1_2_01057A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056743	1_2_01056743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053943	1_2_01053943
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058B55	1_2_01058B55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105565A	1_2_0105565A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054F63	1_2_01054F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057F75	1_2_01057F75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053271	1_2_01053271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059571	1_2_01059571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059A7C	1_2_01059A7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010555AE	1_2_010555AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010535CD	1_2_010535CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054CCB	1_2_01054CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010568D7	1_2_010568D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010598ED	1_2_010598ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056BEE	1_2_01056BEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058DF9	1_2_01058DF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECBCF0	5_2_00ECBCF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED54C8	5_2_00ED54C8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED88CA	5_2_00ED88CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDD0AF	5_2_00EDD0AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC704E	5_2_00EC704E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5422	5_2_00ED5422
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC69ED	5_2_00EC69ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED91C0	5_2_00ED91C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED85D0	5_2_00ED85D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECC590	5_2_00ECC590
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED3AA2	5_2_00ED3AA2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC7295	5_2_00EC7295
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED2A55	5_2_00ED2A55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED7A02	5_2_00ED7A02
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDCE1C	5_2_00EDCE1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDF615	5_2_00EDF615
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC77E7	5_2_00EC77E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5B9C	5_2_00ED5B9C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC6F2A	5_2_00EC6F2A

Document contains embedded VBA macros

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, VBA macros: true

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652

PE file does not import any functions

Source: ritofm.cvm.5.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Yara signature match

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload

Source: classification engine

Classification label: mal100.expl.evad.winXLS@18/18@2/2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED6E91 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,BitBlt,SysAllocString,CoSetProxyBlanket,

5_2_00ED6E91

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F2216F8D-EF73-42B8-8E37-A58300A73E42}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D936A919-3D95-457D-8424-47B43B8FC3B5}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5132
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess4780
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D936A919-3D95-457D-8424-47B43B8FC3B5}

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{71F94E0F-2F67-4E94-BECF-B06A373927A8} - OProcSessId.dat

Jump to behavior

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

PE file contains sections with non-standard names

Source: ritofm.cvm.5.dr

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105823C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_01058274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010582B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_010582EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105830D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push esp; mov dword ptr [esp], 00000001h	1_2_0105831A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_0105833C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_01058444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_0105847E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010584E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010585B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_0105874E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00000001h	1_2_01057080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push ecx; mov dword ptr [esp], 00001000h	1_2_010570E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010571C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_01057271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_0105738F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edx; mov dword ptr [esp], 00000258h	1_2_010573AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010573BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_01057536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010575A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_010575C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00008000h	1_2_01057615
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], edi	1_2_01055450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_010554C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push ecx; mov dword ptr [esp], 00000001h	1_2_01055597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_01055648

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm	Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6480 base: 113F380 value: E9 A2 43 D8 FF

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\explorer.exe TID: 6124

Thread sleep time: -108000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECEFDD GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

5_2_00ECEFDD

Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: 7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC.aDJ c6zVdc9AvrQLskENN6KRY9qygrLHpGOMPXNoGBs486d Hwo4e5Sssz.3yZOI9L,Uo61UfBybeBlg4 Rgz0,,nlIquQIAbV 0MHezI6 S11ufn.a5V O.kXuFwX5RBhMRaiRtkrwwTO 1mb9oE6K0g3.hLvB8fRZhszZpl CDbTzIMNhhi KIrpyrQOhkz.vTSlNE0SNQtw6j7DgrVGZ0DLPR,l1sS91u4tBTNuSpH0bBLJN,frE71dckGTJNKb,i2irp6qLNYiLytoL8d34uAqq8xnDat Nht whBS27,tusBZSJnrYcP4F,Z uSdClmMOPupKE66fj3mv1omi86Y kj.u.p2S36vZH3d7P,Q2lR7EpgzCTeXQb PMTw hi81JJHFhyWcfLfSlN09M8,BqXDWGrSL3xneWj.7S1beot,Cta6gM6R7Y9Gg9AOIAkdoLuXh T eBWqzTP7yVBVKy,ktTNCbmNLkbiF ifON6kQO.ozJyyl8X3aSLU,dAnJHCuh8npN idxAB9mZIMXz489.fpBE3 lhCu V sBmy,E3q62GN qDfhthYBmSCFUMk1w4CLnhA8HloL p7
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.qXFgHnCKam1umGxt qEOHWhlBsghltNOMiYw4OxB0Mx5,djYw8 c6J9HszqYgNo4rUKcBuInlww2dVZPrTLOB5epoH7KhxbsrFKiWmF p x5 aPsfvZJgseWuDReU AZVXgHwYwWy6zurmGHK 1MQbmh.xY4, sa,,9ck6zN115PhqjiFTrXqDJau kXfsRReJ1hm9hsppgK1KWdsAFd1KnJqSmStaPbsxhOpr QdoDpp4ue63uCjO KY7ZugJx,sPrPL6RVs386 y3Ge9XV80fWP8zgbA7,5nL iOSOVEzJDP8ZaWZV.zkudHHb9r,iSl,xRpeHd5pToPWiQ6i 4 AqQpNzV5A1yOUxlc RJBl8b.X g4dT8Uxb5TL3xFj,jb6KE0LS.akyXdiy3u2zQqx6LprAJ0t6kq6Oor igyA9aeC5afvURZYJEVzWi4.csZbmmwOibe.J9FFbqIAbHDNFKKgU zkvKK 5PeYYtuhiiH 74PsW54ONG1e5WYv2mWsCccHDRq,NfME0 MwzkLy4zSVxtXOX2pZq8YCv,ROiR q7VfgfHxqTmA6WY1mlD0HXjNCfOb6vyllPBPEMiLFZdEXzs 1T.nFcbWOKfnvYDaw5Vkfi5FBLeVLqyqxvcsh bhscvE8p7..ULJuM604b Rd54 0PYyEVjDdKjzUiAROCgzCVMoG9PONTnt9qEu19KBHJSpbIRWIvf kN3SFwtr.XEp1tILfpnBfMFqKt4WLb50FTTVLt4M b7.m1ZmkKD,pkxW fHrVAjo2. 6SwsdaXzkA.CKDL3j s3O1z8UPh0YUlkr90WncXE w5rwEA.R7RSpb47DeqPalCETu8K0al 5cR7 l, 7WxGjQklcCwoqKJuhxsH daTEU9f14p72oHUpgvPhEaVliQXM6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J sv7Q nWLw cdPNvA3 bpQ,BZ sz1W2,ZjWtWe3dLmKA5009 3ADGEg2c ZpQ3AzTkDLpFYec3qrZ94Lq2stkpuxqa2g F8vtY2Vfv.4RBfoCk5dzmhVlURJPbUMQt56frGzfKufOt8tw Lmh,V5m2rmIS9hPz8 xH04tyzMWlXgXCU1V6 UwN6VfZnAzb,HJ2iz684SkZyBQwcC6StS2kcBdRbg6ug0mp92S.EZC0 2lbDpEgYs Hv0tVB RtmA cw3mueFkSBT7FZm3MIp,IAYCbyXN00dAN,,D2GerUbUp,Kgh0NMXq1JLHkNSS1cmyPaK 5m XnkF017So1lk1qniL1MQqNqt r,BYdAa8PLGFojSzaCK2j vHcVrMn,C HHtsvcz83i,cYwqk YhUQvYQzUZ3QrHB,7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC
Source: explorer.exe	Binary or memory string: IijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_01054795 mov esi, dword ptr fs:[00000030h]

1_2_01054795

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00EC32C4 RtlAddVectoredExceptionHandler,

5_2_00EC32C4

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F00000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: F00000 value: 9C			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: 113F380 value: E9			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F00000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 113F380			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE47B LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00ECE47B

Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE0AF GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

5_2_00ECE0AF

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED70DA LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,

5_2_00ED70DA

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECF5F1 GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,

5_2_00ECF5F1

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.39.58	signifysystem.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.32.232	fcventasyservicios.cl	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
signifysystem.com	192.185.39.58	true
fcventasyservicios.cl	192.185.32.232	true

AV Detection:

Machine Learning detection for dropped file

Source: C:\Users\user\ritofm.cvm	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: ue[1].htm.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: signifysystem.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.office.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cr.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://directory.services.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.local
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://tasks.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above RunDLL X 12 13_ Once You have Enable Editing, pIe'
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above O ' WHY I CANNOT OPEN THIS DOCUMENT ? W You are using
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 9659e9a8_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A	1_2_0105822A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050	1_2_01057050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D	1_2_0105538D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010587CD	1_2_010587CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053000	1_2_01053000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054910	1_2_01054910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01055223	1_2_01055223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057A3B	1_2_01057A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056743	1_2_01056743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053943	1_2_01053943
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058B55	1_2_01058B55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105565A	1_2_0105565A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054F63	1_2_01054F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057F75	1_2_01057F75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053271	1_2_01053271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059571	1_2_01059571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059A7C	1_2_01059A7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010555AE	1_2_010555AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010535CD	1_2_010535CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054CCB	1_2_01054CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010568D7	1_2_010568D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010598ED	1_2_010598ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056BEE	1_2_01056BEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058DF9	1_2_01058DF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECBCF0	5_2_00ECBCF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED54C8	5_2_00ED54C8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED88CA	5_2_00ED88CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDD0AF	5_2_00EDD0AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC704E	5_2_00EC704E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5422	5_2_00ED5422
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC69ED	5_2_00EC69ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED91C0	5_2_00ED91C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED85D0	5_2_00ED85D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECC590	5_2_00ECC590
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED3AA2	5_2_00ED3AA2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC7295	5_2_00EC7295
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED2A55	5_2_00ED2A55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED7A02	5_2_00ED7A02
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDCE1C	5_2_00EDCE1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDF615	5_2_00EDF615
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC77E7	5_2_00EC77E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5B9C	5_2_00ED5B9C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC6F2A	5_2_00EC6F2A

Document contains embedded VBA macros

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, VBA macros: true

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652

PE file does not import any functions

Source: ritofm.cvm.5.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Yara signature match

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload

Source: classification engine

Classification label: mal100.expl.evad.winXLS@18/18@2/2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED6E91 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,BitBlt,SysAllocString,CoSetProxyBlanket,

5_2_00ED6E91

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F2216F8D-EF73-42B8-8E37-A58300A73E42}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D936A919-3D95-457D-8424-47B43B8FC3B5}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5132
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess4780
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D936A919-3D95-457D-8424-47B43B8FC3B5}

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{71F94E0F-2F67-4E94-BECF-B06A373927A8} - OProcSessId.dat

Jump to behavior

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

PE file contains sections with non-standard names

Source: ritofm.cvm.5.dr

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105823C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_01058274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010582B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_010582EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105830D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push esp; mov dword ptr [esp], 00000001h	1_2_0105831A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_0105833C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_01058444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_0105847E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010584E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010585B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_0105874E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00000001h	1_2_01057080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push ecx; mov dword ptr [esp], 00001000h	1_2_010570E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010571C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_01057271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_0105738F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edx; mov dword ptr [esp], 00000258h	1_2_010573AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010573BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_01057536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010575A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_010575C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00008000h	1_2_01057615
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], edi	1_2_01055450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_010554C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push ecx; mov dword ptr [esp], 00000001h	1_2_01055597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_01055648

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm	Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\explorer.exe

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6480 base: 113F380 value: E9 A2 43 D8 FF

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\explorer.exe TID: 6124

Thread sleep time: -108000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Source: C:\Windows\SysWOW64\explorer.exe

5_2_00ECEFDD

Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: 7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC.aDJ c6zVdc9AvrQLskENN6KRY9qygrLHpGOMPXNoGBs486d Hwo4e5Sssz.3yZOI9L,Uo61UfBybeBlg4 Rgz0,,nlIquQIAbV 0MHezI6 S11ufn.a5V O.kXuFwX5RBhMRaiRtkrwwTO 1mb9oE6K0g3.hLvB8fRZhszZpl CDbTzIMNhhi KIrpyrQOhkz.vTSlNE0SNQtw6j7DgrVGZ0DLPR,l1sS91u4tBTNuSpH0bBLJN,frE71dckGTJNKb,i2irp6qLNYiLytoL8d34uAqq8xnDat Nht whBS27,tusBZSJnrYcP4F,Z uSdClmMOPupKE66fj3mv1omi86Y kj.u.p2S36vZH3d7P,Q2lR7EpgzCTeXQb PMTw hi81JJHFhyWcfLfSlN09M8,BqXDWGrSL3xneWj.7S1beot,Cta6gM6R7Y9Gg9AOIAkdoLuXh T eBWqzTP7yVBVKy,ktTNCbmNLkbiF ifON6kQO.ozJyyl8X3aSLU,dAnJHCuh8npN idxAB9mZIMXz489.fpBE3 lhCu V sBmy,E3q62GN qDfhthYBmSCFUMk1w4CLnhA8HloL p7
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.qXFgHnCKam1umGxt qEOHWhlBsghltNOMiYw4OxB0Mx5,djYw8 c6J9HszqYgNo4rUKcBuInlww2dVZPrTLOB5epoH7KhxbsrFKiWmF p x5 aPsfvZJgseWuDReU AZVXgHwYwWy6zurmGHK 1MQbmh.xY4, sa,,9ck6zN115PhqjiFTrXqDJau kXfsRReJ1hm9hsppgK1KWdsAFd1KnJqSmStaPbsxhOpr QdoDpp4ue63uCjO KY7ZugJx,sPrPL6RVs386 y3Ge9XV80fWP8zgbA7,5nL iOSOVEzJDP8ZaWZV.zkudHHb9r,iSl,xRpeHd5pToPWiQ6i 4 AqQpNzV5A1yOUxlc RJBl8b.X g4dT8Uxb5TL3xFj,jb6KE0LS.akyXdiy3u2zQqx6LprAJ0t6kq6Oor igyA9aeC5afvURZYJEVzWi4.csZbmmwOibe.J9FFbqIAbHDNFKKgU zkvKK 5PeYYtuhiiH 74PsW54ONG1e5WYv2mWsCccHDRq,NfME0 MwzkLy4zSVxtXOX2pZq8YCv,ROiR q7VfgfHxqTmA6WY1mlD0HXjNCfOb6vyllPBPEMiLFZdEXzs 1T.nFcbWOKfnvYDaw5Vkfi5FBLeVLqyqxvcsh bhscvE8p7..ULJuM604b Rd54 0PYyEVjDdKjzUiAROCgzCVMoG9PONTnt9qEu19KBHJSpbIRWIvf kN3SFwtr.XEp1tILfpnBfMFqKt4WLb50FTTVLt4M b7.m1ZmkKD,pkxW fHrVAjo2. 6SwsdaXzkA.CKDL3j s3O1z8UPh0YUlkr90WncXE w5rwEA.R7RSpb47DeqPalCETu8K0al 5cR7 l, 7WxGjQklcCwoqKJuhxsH daTEU9f14p72oHUpgvPhEaVliQXM6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J sv7Q nWLw cdPNvA3 bpQ,BZ sz1W2,ZjWtWe3dLmKA5009 3ADGEg2c ZpQ3AzTkDLpFYec3qrZ94Lq2stkpuxqa2g F8vtY2Vfv.4RBfoCk5dzmhVlURJPbUMQt56frGzfKufOt8tw Lmh,V5m2rmIS9hPz8 xH04tyzMWlXgXCU1V6 UwN6VfZnAzb,HJ2iz684SkZyBQwcC6StS2kcBdRbg6ug0mp92S.EZC0 2lbDpEgYs Hv0tVB RtmA cw3mueFkSBT7FZm3MIp,IAYCbyXN00dAN,,D2GerUbUp,Kgh0NMXq1JLHkNSS1cmyPaK 5m XnkF017So1lk1qniL1MQqNqt r,BYdAa8PLGFojSzaCK2j vHcVrMn,C HHtsvcz83i,cYwqk YhUQvYQzUZ3QrHB,7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC
Source: explorer.exe	Binary or memory string: IijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_01054795 mov esi, dword ptr fs:[00000030h]

1_2_01054795

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00EC32C4 RtlAddVectoredExceptionHandler,

5_2_00EC32C4

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F00000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: F00000 value: 9C			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: 113F380 value: E9			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F00000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 113F380			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE47B LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00ECE47B

Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE0AF GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

5_2_00ECE0AF

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED70DA LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,

5_2_00ED70DA

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECF5F1 GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,

5_2_00ECF5F1

ID:	412182
Product:	CloudBasic
Start time:	13:29:29
Start date:	12.05.2021
Sample:	9659e9a8_by_Libranalysis.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_0f165c5f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	39C8BF52118F2DF4E1400A3D41DE5A51	E62C4BC8AF8B8FCE9E049E142A203B9C4199E3BB	B515576750DBB9CFE3CC594AEEE3644FE7D1FB8C0BFCC8C11C7B0A592EF0A9C5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_169b688f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5847C220BB3FCE86D70761833080B730	A4163C896D0E0757CCD535BAEBC12A2B86997D0D	D119B196266808913C896B2907FDFA19DD0B6BC191AEE69869A28F61CDB3346A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CBF.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 12 11:33:02 2021, 0x1205a4 type	DC850D1425AC809E1ACD975F4BAB694C	B04B235D0D07FDC2E44307B53D9080695B62B3D7	BC6A8571B9AF3ECAEA069A8857280EC7BBB549A0ABF843E347EA048048BD98B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER54FD.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D163A65497BA8EB6406341C11EE4B63D	1FA2D678B7948135F4C862A33F4E3D92C92804D2	6F698E4440A6FBFB5847F7FD12D5311C6F379307F5B4313D492F9208DA172FB2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5565.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 12 11:34:10 2021, 0x1205a4 type	7398A2F851BD34E393B519BF1E875277	5115EAD153C056703D6FC041D332D856FF3CAB2B	CCC5B089CBE993673B437B9CEE5BE4E4BCF8999F74F84A77ECE9EC01813517A5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58B7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A0F1A7247BFAC0C9B73858DC79665D7E	19301FF2E82290A794A2469DEB078EC2C4FF2AAD	A8B9192922BEC62DEF51699075A59623E048621259670145027438E468A2D755
C:\ProgramData\Microsoft\Windows\WER\Temp\WER611E.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	9AEBAB314B2BD9AF417BC87D58172805	5B4DE827B9E4EB11B844A1C938674B4C3DCBDF7D	BAF40699EC1503DC290CDCBC12CBC16E79BF643F16901820BD3391A0B62FDBC6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER640D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	BA42F4ED21FCF20EA61DE53019AFF2E6	5F31D906B4D7898680740E47012E551444C41329	E8909D4B3BCEF7BB6D8526B105E79A8BC69CFF24755013DAA5091CB5A24CB7BF
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9B0D8C85-82C2-4C91-AEDC-B9459681EEEA	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	421B3B97C4DD0FB55E325A1D2AE0D0C8	52C5DC8226280C0F3A5E9A7005B20768E0CF4250	44A5C380DB28AF6E10E6037428D4E955FD1324511F0E03656134371F86DC9DDB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	79E922F1BC80F1C6D9F7273DD2CC67A7	31502F7EFDE63CD3FAE8C1258458CC9070A51749	25C075C6919DFB86DF81D3E868D1420D88522746ACA34946E864145AD588E5E0
C:\Users\user\AppData\Local\Temp\E0C40000	data	3FAF6C9EC3CA97F2FDBB16AAF7F21538	6EE949BBC6EEAA09970FA0F0712DC63B3ED3351E	69824A86AA6A1E806A3B6820C01045130690515875A7E23B4E3C5FE73C7C96A2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9659e9a8_by_Libranalysis.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=177152, window=hide	6FA30B3E904D62A12E94BEE14F7A29A1	66A94FD22924AE600B07172BCD57AA86E967E6BE	4B48D4C6FC7E4A305D4FDC86A3D220DC564E7F21E9B34D71C1CBA69D956CA4B0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=8192, window=hide	B25CFCF82131C1477BE254A8197AC4D7	C9F9DD0B2A241654D3CABF53181C9104F72A4F33	BA2619BEC415B0F8436042E36185BFCDA8A399E1ED772FDE3EFFE088561031B9
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	43AA6DB16A8F46F4ECBA390A0C27654B	F81E4099E1ACBCB5C5C1FDEABD4EF079DBD32D32	41876EF74BEE90E671EC9ACD42CB627C0F108FCE02EEE7523A101F3410D1ABB1
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	7962B839183642D3CDC2F9CEBDBF85CE	2BE8F6F309962ED367866F6E70668508BC814C2D	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
C:\Users\user\Desktop\02C40000	Applesoft BASIC program data, first line number 16	09AEDE7585D5AD0099BEB6C37CD691D3	EAAB1B9AAA1E3704BB0CDC619BBD70F5DF20A0CB	D989BDABA142C45F0AE3CD17B74C1E3AC5476D5FF00E9687414FFA08A105D744
C:\Users\user\ritofm.cvm	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B3D98EABC7EAB34E9E3EF6D7A9D24385	B9711AA2FE0E5B7136BDF56C120A8D490569BE0D	B7C7FFE3ACD3A9FDBC2DF68B3B999E33D29A43B0235FBD68DB6BE8970008E872

Analysis Report 9659e9a8_by_Libranalysis.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains