Loading ...

Play interactive tourEdit tour

Windows Analysis Report plan-1053707320.xlsb

Overview

General Information

Sample Name:plan-1053707320.xlsb
Analysis ID:440113
MD5:4854b4dcfa441032f2f54bf2834e894f
SHA1:fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
SHA256:68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6964 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 3492 cmdline: regsvr32 ..\gihi1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 5800 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • schtasks.exe (PID: 6572 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06 MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 4864 cmdline: regsvr32 ..\gihi2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • regsvr32.exe (PID: 6868 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 7092 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 5044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • regsvr32.exe (PID: 5824 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 6700 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Qbot

{"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18516", "89.170.84.87:31034", "195.228.141.229:32482", "67.144.76.43:2062", "217.168.11.163:26766", "212.238.116.17:9843", "109.26.22.183:43143", "58.142.103.104:44200", "200.39.220.35:59648", "115.127.244.231:37553", "150.184.143.159:42919", "14.29.250.1:10356", "86.168.140.17:49045", "62.128.177.85:27511", "219.13.32.40:17684", "60.225.8.42:6650", "113.94.94.176:17136", "243.196.184.116:25994", "168.243.164.189:60510", "217.56.43.145:25488"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
    • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
    00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
      • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.explorer.exe.660000.0.raw.unpackQakBotQakBot Payloadkevoreilly
      • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
      3.2.regsvr32.exe.10000000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        3.2.regsvr32.exe.10000000.3.unpackQakBotQakBot Payloadkevoreilly
        • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
        6.2.regsvr32.exe.10000000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          6.2.regsvr32.exe.10000000.3.unpackQakBotQakBot Payloadkevoreilly
          • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\gihi1.dll, CommandLine: regsvr32 ..\gihi1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6964, ProcessCommandLine: regsvr32 ..\gihi1.dll, ProcessId: 3492

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Schedule system processShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5800, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, ProcessId: 6572

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 6.2.regsvr32.exe.10000000.3.unpackMalware Configuration Extractor: Qbot {"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18
          Multi AV Scanner detection for submitted fileShow sources
          Source: plan-1053707320.xlsbVirustotal: Detection: 25%Perma Link
          Source: plan-1053707320.xlsbReversingLabs: Detection: 28%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi1.dllJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi2.dllJoe Sandbox ML: detected
          Source: 6.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 4.2.explorer.exe.1100000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 3.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 13.2.explorer.exe.660000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942057600.0000000003421000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdbs source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbH source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdbM source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: gCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.727844501.0000000002E72000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.953457269.0000000000472000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942178479.0000000000840000.00000004.00000001.sdmp
          Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942167491.000000000083A000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbT source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdby source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdbv source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdbN source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942198358.000000000084C000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: setupapi.pdbB source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdbk source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb| source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942187790.0000000000846000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbe source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000BB22 FindFirstFileW,FindNextFileW,3_2_1000BB22

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dllJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: ka[1].htm.0.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
          Source: global trafficDNS query: name: carpascapital.com
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS traffic detected: queries for: carpascapital.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.aadrm.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.office.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.onedrive.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://augloop.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html%
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.entity.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cortana.ai/api
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cr.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://devnull.onenote.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://directory.services.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.windows.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.windows.net/
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html%
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://lifecycle.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.local
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://management.azure.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://management.azure.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://messaging.office.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ncus.contentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officeapps.live.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://settings.outlook.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://staging.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.com/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://tasks.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://templatelogging.office.com/client/log
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://wus2.contentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
          Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
          Found Excel 4.0 Macro with suspicious formulasShow sources
          Source: plan-1053707320.xlsbInitial sample: CALL
          Found abnormal large hidden Excel 4.0 Macro sheetShow sources
          Source: plan-1053707320.xlsbInitial sample: Sheet size: 22026
          Office process drops PE fileShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJump to dropped file
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000DDC7 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,memcpy,GetCurrentProcess,NtUnmapViewOfSection,NtClose,3_2_1000DDC7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000E23A memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,3_2_1000E23A
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBGJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A873_2_010D2A87
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D4F803_2_010D4F80
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D26A73_2_010D26A7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D330B3_2_010D330B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D10003_2_010D1000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D38203_2_010D3820
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D99393_2_010D9939
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DAA353_2_010DAA35
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DA6373_2_010DA637
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D61313_2_010D6131
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DBC4E3_2_010DBC4E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D41493_2_010D4149
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D725E3_2_010D725E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D875E3_2_010D875E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D69563_2_010D6956
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D96643_2_010D9664
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DAB673_2_010DAB67
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DB8773_2_010DB877
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DB1A13_2_010DB1A1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D11BE3_2_010D11BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DA4BE3_2_010DA4BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D4AB13_2_010D4AB1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D88DE3_2_010D88DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D90DE3_2_010D90DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D31D83_2_010D31D8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DBAEC3_2_010DBAEC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D94F83_2_010D94F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D7BF53_2_010D7BF5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100124203_2_10012420
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000F0453_2_1000F045
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100184903_2_10018490
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10014CBF3_2_10014CBF
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100110C03_2_100110C0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10018D303_2_10018D30
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100119683_2_10011968
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100155B53_2_100155B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100109C53_2_100109C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100149C53_2_100149C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100115FD3_2_100115FD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001C24F3_2_1001C24F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10010A6B3_2_10010A6B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10011EBA3_2_10011EBA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001B6CA3_2_1001B6CA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100117213_2_10011721
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100053943_2_10005394
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001E7D63_2_1001E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01118D304_2_01118D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011119684_2_01111968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011155B54_2_011155B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011109C54_2_011109C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011149C54_2_011149C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01113DF74_2_01113DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011115FD4_2_011115FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011124204_2_01112420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0110F0454_2_0110F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011184904_2_01118490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01114CBF4_2_01114CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011110C04_2_011110C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011117214_2_01111721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011053944_2_01105394
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111E7D64_2_0111E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111C24F4_2_0111C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01110A6B4_2_01110A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01111EBA4_2_01111EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111B6CA4_2_0111B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0066F04513_2_0066F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067242013_2_00672420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006710C013_2_006710C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00674CBF13_2_00674CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067849013_2_00678490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067196813_2_00671968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00678D3013_2_00678D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00673DF713_2_00673DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006715FD13_2_006715FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006709C513_2_006709C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006749C513_2_006749C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006755B513_2_006755B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00670A6B13_2_00670A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067C24F13_2_0067C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067B6CA13_2_0067B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00671EBA13_2_00671EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067172113_2_00671721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067E7D613_2_0067E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0066539413_2_00665394
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
          Source: gihi2.dll.13.drStatic PE information: No import functions for PE file found
          Source: gihi1.dll.4.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@20/19@2/1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000A1C7 CreateToolhelp32Snapshot,memset,Process32First,FindCloseChangeNotification,3_2_1000A1C7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10009CB8 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,3_2_10009CB8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002297 StartServiceCtrlDispatcherA,3_2_10002297
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002297 StartServiceCtrlDispatcherA,3_2_10002297
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{71922192-0266-41D2-A0F0-3628639BB9C8}
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess6700
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess7092
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{EF4E487D-8367-44BE-A024-25DD7810F9BF} - OProcSessId.datJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior