Windows Analysis Report plan-1053707320.xlsb

Overview

General Information

Sample Name: plan-1053707320.xlsb
Analysis ID: 440113
MD5: 4854b4dcfa441032f2f54bf2834e894f
SHA1: fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
SHA256: 68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.2.regsvr32.exe.10000000.3.unpack Malware Configuration Extractor: Qbot {"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18
Multi AV Scanner detection for submitted file
Source: plan-1053707320.xlsb Virustotal: Detection: 25% Perma Link
Source: plan-1053707320.xlsb ReversingLabs: Detection: 28%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Joe Sandbox ML: detected
Source: C:\Users\user\gihi1.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Joe Sandbox ML: detected
Source: C:\Users\user\gihi2.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.2.explorer.exe.1100000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 13.2.explorer.exe.660000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942057600.0000000003421000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbs source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbH source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbM source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: gCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.727844501.0000000002E72000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.953457269.0000000000472000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942178479.0000000000840000.00000004.00000001.sdmp
Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942167491.000000000083A000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbT source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdby source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbv source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbN source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942198358.000000000084C000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbB source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbk source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb| source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942187790.0000000000846000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbe source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000BB22 FindFirstFileW,FindNextFileW, 3_2_1000BB22

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi2.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: ka[1].htm.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: carpascapital.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: carpascapital.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.aadrm.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.cortana.ai
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.office.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.onedrive.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://augloop.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: intlsheet1.bin String found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html
Source: intlsheet1.bin String found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html%
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cdn.entity.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://clients.config.office.net/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://config.edge.skype.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cortana.ai
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cortana.ai/api
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://cr.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dev.cortana.ai
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://devnull.onenote.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://directory.services.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://graph.windows.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://graph.windows.net/
Source: intlsheet1.bin String found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html
Source: intlsheet1.bin String found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html%
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://lifecycle.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://login.windows.local
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://management.azure.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://management.azure.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://messaging.office.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ncus.contentsync.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://officeapps.live.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://onedrive.live.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://outlook.office.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://outlook.office365.com/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://settings.outlook.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://staging.cortana.ai
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://tasks.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://wus2.contentsync.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulas
Source: plan-1053707320.xlsb Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: plan-1053707320.xlsb Initial sample: Sheet size: 22026
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000DDC7 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,memcpy,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 3_2_1000DDC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000E23A memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW, 3_2_1000E23A
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 3_2_010D2A87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D4F80 3_2_010D4F80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D26A7 3_2_010D26A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D330B 3_2_010D330B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D1000 3_2_010D1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D3820 3_2_010D3820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D9939 3_2_010D9939
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DAA35 3_2_010DAA35
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DA637 3_2_010DA637
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D6131 3_2_010D6131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DBC4E 3_2_010DBC4E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D4149 3_2_010D4149
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D725E 3_2_010D725E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D875E 3_2_010D875E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D6956 3_2_010D6956
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D9664 3_2_010D9664
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DAB67 3_2_010DAB67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DB877 3_2_010DB877
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DB1A1 3_2_010DB1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D11BE 3_2_010D11BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DA4BE 3_2_010DA4BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D4AB1 3_2_010D4AB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D88DE 3_2_010D88DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D90DE 3_2_010D90DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D31D8 3_2_010D31D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010DBAEC 3_2_010DBAEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D94F8 3_2_010D94F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D7BF5 3_2_010D7BF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10012420 3_2_10012420
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000F045 3_2_1000F045
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10018490 3_2_10018490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10014CBF 3_2_10014CBF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100110C0 3_2_100110C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10018D30 3_2_10018D30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10011968 3_2_10011968
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100155B5 3_2_100155B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100109C5 3_2_100109C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100149C5 3_2_100149C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100115FD 3_2_100115FD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001C24F 3_2_1001C24F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10010A6B 3_2_10010A6B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10011EBA 3_2_10011EBA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001B6CA 3_2_1001B6CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10011721 3_2_10011721
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10005394 3_2_10005394
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001E7D6 3_2_1001E7D6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01118D30 4_2_01118D30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01111968 4_2_01111968
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_011155B5 4_2_011155B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_011109C5 4_2_011109C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_011149C5 4_2_011149C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01113DF7 4_2_01113DF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_011115FD 4_2_011115FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01112420 4_2_01112420
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_0110F045 4_2_0110F045
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01118490 4_2_01118490
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01114CBF 4_2_01114CBF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_011110C0 4_2_011110C0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01111721 4_2_01111721
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01105394 4_2_01105394
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_0111E7D6 4_2_0111E7D6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_0111C24F 4_2_0111C24F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01110A6B 4_2_01110A6B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01111EBA 4_2_01111EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_0111B6CA 4_2_0111B6CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0066F045 13_2_0066F045
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00672420 13_2_00672420
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_006710C0 13_2_006710C0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00674CBF 13_2_00674CBF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00678490 13_2_00678490
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00671968 13_2_00671968
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00678D30 13_2_00678D30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00673DF7 13_2_00673DF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_006715FD 13_2_006715FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_006709C5 13_2_006709C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_006749C5 13_2_006749C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_006755B5 13_2_006755B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00670A6B 13_2_00670A6B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0067C24F 13_2_0067C24F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0067B6CA 13_2_0067B6CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00671EBA 13_2_00671EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00671721 13_2_00671721
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0067E7D6 13_2_0067E7D6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00665394 13_2_00665394
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
PE file does not import any functions
Source: gihi2.dll.13.dr Static PE information: No import functions for PE file found
Source: gihi1.dll.4.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@20/19@2/1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000A1C7 CreateToolhelp32Snapshot,memset,Process32First,FindCloseChangeNotification, 3_2_1000A1C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10009CB8 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_10009CB8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10002297 StartServiceCtrlDispatcherA, 3_2_10002297
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10002297 StartServiceCtrlDispatcherA, 3_2_10002297
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{71922192-0266-41D2-A0F0-3628639BB9C8}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess6700
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess7092
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{EF4E487D-8367-44BE-A024-25DD7810F9BF} - OProcSessId.dat Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: plan-1053707320.xlsb Virustotal: Detection: 25%
Source: plan-1053707320.xlsb ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: plan-1053707320.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942057600.0000000003421000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbs source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbH source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbM source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: gCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.727844501.0000000002E72000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.953457269.0000000000472000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942178479.0000000000840000.00000004.00000001.sdmp
Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942167491.000000000083A000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbT source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdby source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbv source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbN source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942198358.000000000084C000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbB source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbk source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb| source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942187790.0000000000846000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbe source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000E5F3 LoadLibraryA,GetProcAddress, 3_2_1000E5F3
PE file contains sections with non-standard names
Source: gihi1.dll.4.dr Static PE information: section name: .code
Source: gihi1.dll.4.dr Static PE information: section name: .rdataf
Source: gihi2.dll.13.dr Static PE information: section name: .code
Source: gihi2.dll.13.dr Static PE information: section name: .rdataf
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2B26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2B75
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2C52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2C5E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2CB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2D0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], edx 3_2_010D2D66
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2E44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], ebp 3_2_010D2E4F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], edi 3_2_010D2F19
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D2F40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3032
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D316F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D31B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3268
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], ecx 3_2_010D32F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], eax 3_2_010D3345
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D343B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D35D6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D35E2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3682
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D36C1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3724
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D376D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D37A9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D37B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D37E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3868
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D38D3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D38DF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_010D3919

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htm Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10002297 StartServiceCtrlDispatcherA, 3_2_10002297

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5800 base: 136F380 value: E9 83 38 D9 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 7024 base: 136F380 value: E9 83 38 2F FF Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to evade analysis by execution special instruction which cause usermode exception
Source: C:\Windows\SysWOW64\WerFault.exe Special instruction interceptor: First address: 0000000066AA11EF instructions 0FC7C8 caused by: Known instruction #UD exception
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6272 Thread sleep count: 128 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5804 Thread sleep time: -112000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6536 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7084 Thread sleep count: 70 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000BB22 FindFirstFileW,FindNextFileW, 3_2_1000BB22
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 3_2_1000EB53
Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000E5F3 LoadLibraryA,GetProcAddress, 3_2_1000E5F3
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_010D1000 push dword ptr fs:[00000030h] 3_2_010D1000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_01102A6B RtlAddVectoredExceptionHandler, 4_2_01102A6B

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 1130000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 690000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5800 base: 1130000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5800 base: 136F380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 7024 base: 690000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 7024 base: 136F380 value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 1130000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 136F380 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 690000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 136F380 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000B036 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 3_2_1000B036
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001354E LookupAccountNameW,LookupAccountNameW,LookupAccountNameW, 3_2_1001354E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 3_2_1000EB53

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE