Loading ...

Play interactive tourEdit tour

Windows Analysis Report plan-1053707320.xlsb

Overview

General Information

Sample Name:plan-1053707320.xlsb
Analysis ID:440105
MD5:4854b4dcfa441032f2f54bf2834e894f
SHA1:fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
SHA256:68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 3152 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6088 cmdline: regsvr32 ..\gihi1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 4784 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • schtasks.exe (PID: 5848 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57 MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 3488 cmdline: regsvr32 ..\gihi2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • regsvr32.exe (PID: 4088 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5312 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 1200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • regsvr32.exe (PID: 380 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 2124 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 4168 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Qbot

{"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18516", "89.170.84.87:31034", "195.228.141.229:32482", "67.144.76.43:2062", "217.168.11.163:26766", "212.238.116.17:9843", "109.26.22.183:43143", "58.142.103.104:44200", "200.39.220.35:59648", "115.127.244.231:37553", "150.184.143.159:42919", "14.29.250.1:10356", "86.168.140.17:49045", "62.128.177.85:27511", "219.13.32.40:17684", "60.225.8.42:6650", "113.94.94.176:17136", "243.196.184.116:25994", "168.243.164.189:60510", "217.56.43.145:25488"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
    • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
    00000007.00000002.247270585.0000000000110000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
    • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
    00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
      • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.regsvr32.exe.10000000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        2.2.regsvr32.exe.10000000.3.unpackQakBotQakBot Payloadkevoreilly
        • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
        3.2.explorer.exe.510000.0.raw.unpackQakBotQakBot Payloadkevoreilly
        • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
        4.2.regsvr32.exe.4ba0000.2.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          4.2.regsvr32.exe.4ba0000.2.unpackQakBotQakBot Payloadkevoreilly
          • 0x11a23:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\gihi1.dll, CommandLine: regsvr32 ..\gihi1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3152, ProcessCommandLine: regsvr32 ..\gihi1.dll, ProcessId: 6088

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Schedule system processShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 4784, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57, ProcessId: 5848

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2.2.regsvr32.exe.10000000.3.unpackMalware Configuration Extractor: Qbot {"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18
          Multi AV Scanner detection for submitted fileShow sources
          Source: plan-1053707320.xlsbVirustotal: Detection: 25%Perma Link
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi1.dllJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi2.dllJoe Sandbox ML: detected
          Source: 2.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 4.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 3.2.explorer.exe.510000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 7.2.explorer.exe.110000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49724 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49727 version: TLS 1.2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000BB22 FindFirstFileW,FindNextFileW,2_2_1000BB22

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dllJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: ka[1].htm.0.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
          Source: global trafficDNS query: name: carpascapital.com
          Source: global trafficTCP traffic: 192.168.2.3:49724 -> 50.116.92.246:443
          Source: global trafficTCP traffic: 192.168.2.3:49724 -> 50.116.92.246:443
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS traffic detected: queries for: carpascapital.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.aadrm.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.cortana.ai
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.office.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.onedrive.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://augloop.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html%
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cdn.entity.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://clients.config.office.net/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://config.edge.skype.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cortana.ai
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cortana.ai/api
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://cr.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dev.cortana.ai
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://devnull.onenote.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://directory.services.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://graph.windows.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://graph.windows.net/
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html%
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://lifecycle.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://login.windows.local
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://management.azure.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://management.azure.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://messaging.office.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ncus.contentsync.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://officeapps.live.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://onedrive.live.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://outlook.office.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://outlook.office365.com/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://settings.outlook.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://staging.cortana.ai
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://store.office.com/addinstemplate
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://tasks.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://wus2.contentsync.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49724 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49727 version: TLS 1.2

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000007.00000002.247270585.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000003.00000002.508377992.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.explorer.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.regsvr32.exe.4ba0000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 2.2.regsvr32.exe.e00000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 7.2.explorer.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 2.2.regsvr32.exe.e00000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 7.2.explorer.exe.110000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.regsvr32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.explorer.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. 15 16 0 Protected Vie
          Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 19 the decryption of the docum
          Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
          Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
          Found Excel 4.0 Macro with suspicious formulasShow sources
          Source: plan-1053707320.xlsbInitial sample: CALL
          Found abnormal large hidden Excel 4.0 Macro sheetShow sources
          Source: plan-1053707320.xlsbInitial sample: Sheet size: 22026
          Office process drops PE fileShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htmJump to dropped file
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000DDC7 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,memcpy,GetCurrentProcess,NtUnmapViewOfSection,NtClose,2_2_1000DDC7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000E23A memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,2_2_1000E23A
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBGJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB4F802_2_00DB4F80
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB2A872_2_00DB2A87
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB69562_2_00DB6956
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB31D82_2_00DB31D8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB88DE2_2_00DB88DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB90DE2_2_00DB90DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB94F82_2_00DB94F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB7BF52_2_00DB7BF5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBBAEC2_2_00DBBAEC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB11BE2_2_00DB11BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBA4BE2_2_00DBA4BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB4AB12_2_00DB4AB1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBB1A12_2_00DBB1A1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB725E2_2_00DB725E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB875E2_2_00DB875E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB41492_2_00DB4149
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBBC4E2_2_00DBBC4E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBB8772_2_00DBB877
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBAB672_2_00DBAB67
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB96642_2_00DB9664
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB330B2_2_00DB330B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB10002_2_00DB1000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB99392_2_00DB9939
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB8A382_2_00DB8A38
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB61312_2_00DB6131
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBA6372_2_00DBA637
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DBAA352_2_00DBAA35
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00DB38202_2_00DB3820
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100124202_2_10012420
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000F0452_2_1000F045
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100184902_2_10018490
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10014CBF2_2_10014CBF
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100110C02_2_100110C0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018D302_2_10018D30
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100119682_2_10011968
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100155B52_2_100155B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100109C52_2_100109C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100149C52_2_100149C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10013DF72_2_10013DF7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100115FD2_2_100115FD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001C24F2_2_1001C24F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10010A6B2_2_10010A6B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10011EBA2_2_10011EBA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001B6CA2_2_1001B6CA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100117212_2_10011721
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100053942_2_10005394
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001E7D62_2_1001E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_0051F0453_2_0051F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005224203_2_00522420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005210C03_2_005210C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005284903_2_00528490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_00524CBF3_2_00524CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005219683_2_00521968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_00528D303_2_00528D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005209C53_2_005209C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005249C53_2_005249C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_00523DF73_2_00523DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005215FD3_2_005215FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005255B53_2_005255B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_0052C24F3_2_0052C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_00520A6B3_2_00520A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_0052B6CA3_2_0052B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_00521EBA3_2_00521EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005217213_2_00521721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_0052E7D63_2_0052E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 3_2_005153943_2_00515394
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B52A874_2_04B52A87
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B54F804_2_04B54F80
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B569564_2_04B56956
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B54AB14_2_04B54AB1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B511BE4_2_04B511BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5A4BE4_2_04B5A4BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5B1A14_2_04B5B1A1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B57BF54_2_04B57BF5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B594F84_2_04B594F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5BAEC4_2_04B5BAEC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B588DE4_2_04B588DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B590DE4_2_04B590DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B531D84_2_04B531D8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5AA354_2_04B5AA35
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5A6374_2_04B5A637
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B561314_2_04B56131
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B599394_2_04B59939
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B58A384_2_04B58A38
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B538204_2_04B53820
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B510004_2_04B51000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5330B4_2_04B5330B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5B8774_2_04B5B877
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B596644_2_04B59664
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5AB674_2_04B5AB67
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5875E4_2_04B5875E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5725E4_2_04B5725E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B5BC4E4_2_04B5BC4E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04B541494_2_04B54149
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001224207_2_00122420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0011F0457_2_0011F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001284907_2_00128490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00124CBF7_2_00124CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001210C07_2_001210C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00128D307_2_00128D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001219687_2_00121968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001255B57_2_001255B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001209C57_2_001209C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001249C57_2_001249C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00123DF77_2_00123DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001215FD7_2_001215FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0012C24F7_2_0012C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00120A6B7_2_00120A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00121EBA7_2_00121EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0012B6CA7_2_0012B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001217217_2_00121721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_001153947_2_00115394
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0012E7D67_2_0012E7D6
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 652
          Source: gihi2.dll.7.drStatic PE information: No import functions for PE file found
          Source: gihi1.dll.3.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000007.00000002.247270585.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000003.00000002.508377992.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, descripti