Loading ...

Play interactive tourEdit tour

Analysis Report Documents_13134976_1377491379.xlsb

Overview

General Information

Sample Name:Documents_13134976_1377491379.xlsb
Analysis ID:431937
MD5:276bf3db434b887bb77adca0bd46e130
SHA1:eee2be9136f2c70a28b6ca5289e73e2a38453da2
SHA256:27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce
Tags:xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates an autostart registry key pointing to binary in C:\Windows
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6528 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6796 cmdline: regsvr32 -s ..\iepfusn.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • regsvr32.exe (PID: 6848 cmdline: -s ..\iepfusn.dll MD5: D78B75FC68247E8A63ACBA846182740E)
        • cmd.exe (PID: 6980 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 7032 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
          • regsvr32.exe (PID: 5712 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR MD5: D78B75FC68247E8A63ACBA846182740E)
            • cmd.exe (PID: 1724 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 6196 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
              • regsvr32.exe (PID: 6356 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG MD5: D78B75FC68247E8A63ACBA846182740E)
                • cmd.exe (PID: 6896 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
                  • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • PING.EXE (PID: 6092 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
                  • regsvr32.exe (PID: 6824 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 6872 cmdline: 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 400 cmdline: 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: BlueMashroom DLL LoadShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, CommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5712, ProcessCommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, ProcessId: 1724
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\iepfusn.dll, CommandLine: regsvr32 -s ..\iepfusn.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6528, ProcessCommandLine: regsvr32 -s ..\iepfusn.dll, ProcessId: 6796
    Sigma detected: Regsvr32 AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, CommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6980, ProcessCommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ProcessId: 5712

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B3714 FindFirstFileExA,5_2_00007FFD696B3714
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69653714 FindFirstFileExA,11_2_00007FFD69653714

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: rtdsgfe[1].dll.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficDNS query: name: tpfcu.com
    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443
    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49740
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49747
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49750
    Uses ping.exe to check the status of other devices and networksShow sources
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: Joe Sandbox ViewASN Name: MIT-GATEWAYSUS MIT-GATEWAYSUS
    Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownDNS traffic detected: queries for: tpfcu.com
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.25.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c71b863b5b2fa
    Source: regsvr32.exe, 00000019.00000002.634452908.0000000000A78000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en9
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/
    Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/#
    Source: regsvr32.exe, 00000019.00000002.636067995.00000000029E5000.00000004.00000001.sdmpString found in binary or memory: https://18.117.84.120/18.188.86.8/
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/89b
    Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmp, regsvr32.exe, 00000019.00000002.634483097.0000000000A9A000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5
    Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5T0
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/Z
    Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/kenichi/special21new/trailer2a5
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/railer2a55b
    Source: regsvr32.exe, 00000019.00000002.636079030.0000000002A44000.00000004.00000001.sdmpString found in binary or memory: https://18.188.86.8:443/kenichi/special21new/trailer2a55
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.office.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.onedrive.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://augloop.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.entity.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cortana.ai/api
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cr.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://directory.services.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.windows.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.windows.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.local
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://management.azure.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://management.azure.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://messaging.office.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officeapps.live.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://settings.outlook.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://tasks.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownHTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
    Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
    Source: Screenshot number: 12Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
    Source: Screenshot number: 12Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
    Source: Screenshot number: 16Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. PROTECTED VIEW This f
    Source: Screenshot number: 16Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of document. E
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Documents_13134976_1377491379.xlsbInitial sample: CALL
    Source: Documents_13134976_1377491379.xlsbInitial sample: EXEC
    Source: Documents_13134976_1377491379.xlsbInitial sample: CALL
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to dropped file
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A6DAE5_2_00007FFD696A6DAE
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B22545_2_00007FFD696B2254
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B8E185_2_00007FFD696B8E18
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696AF1F05_2_00007FFD696AF1F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B35085_2_00007FFD696B3508
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A17885_2_00007FFD696A1788
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A204C5_2_00007FFD696A204C
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A12845_2_00007FFD696A1284
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D8D115_2_012D8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D45545_2_012D4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E02A45_2_012E02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D82825_2_012D8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D65375_2_012D6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D61185_2_012D6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D15175_2_012D1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DD57B5_2_012DD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D85985_2_012D8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DE0075_2_012DE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DFC4D5_2_012DFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E0CE85_2_012E0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DA8E05_2_012DA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D2B265_2_012D2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D9F065_2_012D9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D3B015_2_012D3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D7F125_2_012D7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D53725_2_012D5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E26AC5_2_012E26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DC6ED5_2_012DC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D5EF85_2_012D5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69646DAE11_2_00007FFD69646DAE
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6965225411_2_00007FFD69652254
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69658E1811_2_00007FFD69658E18
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964F1F011_2_00007FFD6964F1F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6965350811_2_00007FFD69653508
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964178811_2_00007FFD69641788
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964204C11_2_00007FFD6964204C
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964128411_2_00007FFD69641284
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C828211_2_005C8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D02A411_2_005D02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CFC4D11_2_005CFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CE00711_2_005CE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D0CE811_2_005D0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CA8E011_2_005CA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C455411_2_005C4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CD57B11_2_005CD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C611811_2_005C6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C151711_2_005C1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C8D1111_2_005C8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C653711_2_005C6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C859811_2_005C8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C5EF811_2_005C5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CC6ED11_2_005CC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D26AC11_2_005D26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C537211_2_005C5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C7F1211_2_005C7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C9F0611_2_005C9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C3B0111_2_005C3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C2B2611_2_005C2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045A8E018_2_0045A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045828218_2_00458282
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_004602A418_2_004602A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045FC4D18_2_0045FC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045455418_2_00454554
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045C6ED18_2_0045C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00460CE818_2_00460CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045537218_2_00455372
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00455EF818_2_00455EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045D57B18_2_0045D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045E00718_2_0045E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00459F0618_2_00459F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00453B0118_2_00453B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045151718_2_00451517
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00458D1118_2_00458D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00457F1218_2_00457F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045859818_2_00458598
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045611818_2_00456118
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00452B2618_2_00452B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_004626AC18_2_004626AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045653718_2_00456537
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A202A425_2_00A202A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A12B2625_2_00A12B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1653725_2_00A16537
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1455425_2_00A14554
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A226AC25_2_00A226AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A13B0125_2_00A13B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1828225_2_00A18282
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1E00725_2_00A1E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A19F0625_2_00A19F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A18D1125_2_00A18D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A17F1225_2_00A17F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1151725_2_00A11517
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1859825_2_00A18598
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1611825_2_00A16118
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1A8E025_2_00A1A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A20CE825_2_00A20CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1C6ED25_2_00A1C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1537225_2_00A15372
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A15EF825_2_00A15EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1D57B25_2_00A1D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1FC4D25_2_00A1FC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD653726_2_00FD6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE02A426_2_00FE02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD5EF826_2_00FD5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDD57B26_2_00FDD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD537226_2_00FD5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDC6ED26_2_00FDC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE0CE826_2_00FE0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDA8E026_2_00FDA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD455426_2_00FD4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDFC4D26_2_00FDFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE26AC26_2_00FE26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD2B2626_2_00FD2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD859826_2_00FD8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD611826_2_00FD6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD151726_2_00FD1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD8D1126_2_00FD8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD7F1226_2_00FD7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDE00726_2_00FDE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD9F0626_2_00FD9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD3B0126_2_00FD3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD828226_2_00FD8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7653727_2_00B76537
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B802A427_2_00B802A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7455427_2_00B74554
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B72B2627_2_00B72B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B826AC27_2_00B826AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7151727_2_00B71517
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B77F1227_2_00B77F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B78D1127_2_00B78D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7859827_2_00B78598
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7611827_2_00B76118
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7E00727_2_00B7E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B79F0627_2_00B79F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7828227_2_00B78282
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B73B0127_2_00B73B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7537227_2_00B75372
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7D57B27_2_00B7D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B75EF827_2_00B75EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B80CE827_2_00B80CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7A8E027_2_00B7A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7C6ED27_2_00B7C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7FC4D27_2_00B7FC4D
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\L3YD7CE.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: Joe Sandbox ViewDropped File: C:\Users\user\iepfusn.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@28/13@1/4
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D4554 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Process32Next,5_2_012D4554
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\NFIRRWAVEQLJNKX7G17J1Q
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_01
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{4F0D64AE-B9BF-48DC-A1ED-DB4CEC735B81} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dll
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KRJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KRJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DGJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DGJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DBJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DBJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll