Windows Analysis Report
ndp48-web.exe

Overview

General Information

Sample name:	ndp48-web.exe
Analysis ID:	1431611
MD5:	34a5c76979563918b953e66e0d39c7ef
SHA1:	4181398aa1fd5190155ac3a388434e5f7ea0b667
SHA256:	0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	48
Range:	0 - 100

Signatures

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

Compliance

Uses 32bit PE files

Source: ndp48-web.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Jump to behavior

Source: ndp48-web.exe

Static PE information: certificate valid

Source: ndp48-web.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: sqmapi.pdb source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643088661.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097119067.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, sqmapi.dll.0.dr
Source:	Binary string: SetupEngine.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097226411.000000006CAC1000.00000020.00000001.01000000.00000005.sdmp, SetupEngine.dll.0.dr
Source:	Binary string: SetupUtility.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: SetupUtility.pdb5 source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: Setup.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4094321813.0000000000EE1000.00000020.00000001.01000000.00000004.sdmp, Setup.exe.0.dr
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: SetupResources.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097511959.000000006E321000.00000020.00000001.01000000.0000000C.sdmp, SetupResources.dll20.0.dr, SetupResources.dll10.0.dr, SetupResources.dll4.0.dr, SetupResources.dll11.0.dr, SetupResources.dll5.0.dr, SetupResources.dll2.0.dr, SetupResources.dll13.0.dr, SetupResources.dll7.0.dr, SetupResources.dll12.0.dr, SetupResources.dll16.0.dr, SetupResources.dll14.0.dr, SetupResources.dll18.0.dr, SetupResources.dll19.0.dr, SetupResources.dll3.0.dr, SetupResources.dll17.0.dr, SetupResources.dll1.0.dr, SetupResources.dll9.0.dr, SetupResources.dll22.0.dr, SetupResources.dll6.0.dr, SetupResources.dll0.0.dr, SetupResources.dll15.0.dr, SetupResources.dll21.0.dr, SetupResources.dll.0.dr, SetupResources.dll8.0.dr
Source:	Binary string: SetupUi.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4096935660.000000006C631000.00000020.00000001.01000000.0000000B.sdmp, SetupUi.dll.0.dr

Software Vulnerabilities

Source: winword.exe

Memory has grown: Private usage: 1MB later: 42MB

Networking

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Setup.exe, 00000001.00000003.1674388120.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1674301361.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic

System Summary

PE file contains executable resources (Code or Archives)

Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: SetupResources.dll7.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll11.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll22.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll14.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll17.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll16.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll19.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll13.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll5.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll9.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll10.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll21.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll18.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll15.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll12.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll20.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1623425541.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000002.4086062566.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642980054.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUI.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUtility.exe\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupEngine.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllX vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dll\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000000.1622920091.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe

Uses 32bit PE files

Source: ndp48-web.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@14/132@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\NetFxSetupMutex

Source: C:\Users\user\Desktop\ndp48-web.exe

File created: C:\Users\user\AppData\Local\Temp\dd_ndp48-web_decompression_log.txt

Jump to behavior

Source: ndp48-web.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ndp48-web.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ndp48-web.exe

File read: C:\Users\user\Desktop\ndp48-web.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ndp48-web.exe "C:\Users\user\Desktop\ndp48-web.exe"
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupui.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32

Jump to behavior

Source: Templates.LNK.2.dr

LNK file: ..\..\Templates

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Window detected: Number of UI elements: 15

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: ndp48-web.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: ndp48-web.exe

Static file information: File size 1439328 > 1048576

Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ndp48-web.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ndp48-web.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: sqmapi.pdb source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643088661.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097119067.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, sqmapi.dll.0.dr
Source:	Binary string: SetupEngine.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097226411.000000006CAC1000.00000020.00000001.01000000.00000005.sdmp, SetupEngine.dll.0.dr
Source:	Binary string: SetupUtility.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: SetupUtility.pdb5 source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: Setup.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4094321813.0000000000EE1000.00000020.00000001.01000000.00000004.sdmp, Setup.exe.0.dr
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: SetupResources.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097511959.000000006E321000.00000020.00000001.01000000.0000000C.sdmp, SetupResources.dll20.0.dr, SetupResources.dll10.0.dr, SetupResources.dll4.0.dr, SetupResources.dll11.0.dr, SetupResources.dll5.0.dr, SetupResources.dll2.0.dr, SetupResources.dll13.0.dr, SetupResources.dll7.0.dr, SetupResources.dll12.0.dr, SetupResources.dll16.0.dr, SetupResources.dll14.0.dr, SetupResources.dll18.0.dr, SetupResources.dll19.0.dr, SetupResources.dll3.0.dr, SetupResources.dll17.0.dr, SetupResources.dll1.0.dr, SetupResources.dll9.0.dr, SetupResources.dll22.0.dr, SetupResources.dll6.0.dr, SetupResources.dll0.0.dr, SetupResources.dll15.0.dr, SetupResources.dll21.0.dr, SetupResources.dll.0.dr, SetupResources.dll8.0.dr
Source:	Binary string: SetupUi.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4096935660.000000006C631000.00000020.00000001.01000000.0000000B.sdmp, SetupUi.dll.0.dr

Data Obfuscation

PE file contains an invalid checksum

Source: SetupResources.dll7.0.dr	Static PE information: real checksum: 0x85b6 should be: 0x11869
Source: SetupResources.dll.0.dr	Static PE information: real checksum: 0x6ea5 should be: 0x14bba
Source: SetupResources.dll1.0.dr	Static PE information: real checksum: 0xeaf1 should be: 0xf9e7
Source: SetupResources.dll11.0.dr	Static PE information: real checksum: 0x152f3 should be: 0xfcfd
Source: SetupUi.dll.0.dr	Static PE information: real checksum: 0x5bb56 should be: 0x580a0
Source: SetupResources.dll4.0.dr	Static PE information: real checksum: 0x15ab2 should be: 0x11a19
Source: SetupResources.dll22.0.dr	Static PE information: real checksum: 0x79e2 should be: 0x14200
Source: SetupResources.dll14.0.dr	Static PE information: real checksum: 0xb54d should be: 0xe4b6
Source: SetupResources.dll17.0.dr	Static PE information: real checksum: 0x74cf should be: 0xed2c
Source: SetupResources.dll16.0.dr	Static PE information: real checksum: 0x133a7 should be: 0x11cfc
Source: SetupResources.dll19.0.dr	Static PE information: real checksum: 0x664a should be: 0x6bd6
Source: SetupResources.dll13.0.dr	Static PE information: real checksum: 0xe0f8 should be: 0x12f83
Source: SetupResources.dll5.0.dr	Static PE information: real checksum: 0xff36 should be: 0x92e3
Source: SetupResources.dll8.0.dr	Static PE information: real checksum: 0x8bd9 should be: 0x12d34
Source: SetupResources.dll9.0.dr	Static PE information: real checksum: 0xda87 should be: 0x11fd2
Source: SetupResources.dll10.0.dr	Static PE information: real checksum: 0xccb2 should be: 0x10498
Source: SetupResources.dll2.0.dr	Static PE information: real checksum: 0x1120b should be: 0x9889
Source: Setup.exe.0.dr	Static PE information: real checksum: 0x241d1 should be: 0x2b297
Source: SetupResources.dll18.0.dr	Static PE information: real checksum: 0x108c5 should be: 0x81a2
Source: SetupResources.dll0.0.dr	Static PE information: real checksum: 0xc251 should be: 0x7278
Source: SetupResources.dll3.0.dr	Static PE information: real checksum: 0x130f6 should be: 0xfb6f
Source: SetupEngine.dll.0.dr	Static PE information: real checksum: 0xe3382 should be: 0xe90f6
Source: SetupResources.dll15.0.dr	Static PE information: real checksum: 0xc4a3 should be: 0x13cd1
Source: SetupResources.dll6.0.dr	Static PE information: real checksum: 0x53a2 should be: 0x586f
Source: SetupResources.dll12.0.dr	Static PE information: real checksum: 0x106a2 should be: 0x12659
Source: SetupResources.dll20.0.dr	Static PE information: real checksum: 0x14ea0 should be: 0xd534

PE file contains sections with non-standard names

Source: ndp48-web.exe	Static PE information: section name: .boxld01
Source: SetupResources.dll.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll0.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll1.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll2.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll3.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll4.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll5.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll6.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll7.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll8.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll9.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll10.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll11.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll12.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll13.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll14.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll15.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll16.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll17.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll18.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll19.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll20.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll21.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll22.0.dr	Static PE information: section name: .00cfg

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior

Malware Analysis System Evasion

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 9896

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ndp48-web.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: Setup.exe, 00000001.00000002.4096365834.0000000008480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Setup.exe, 00000001.00000002.4096712651.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"			Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\ndp48-web.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true

Compliance

Uses 32bit PE files

Source: ndp48-web.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Jump to behavior

Source: ndp48-web.exe

Static PE information: certificate valid

Source: ndp48-web.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: sqmapi.pdb source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643088661.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097119067.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, sqmapi.dll.0.dr
Source:	Binary string: SetupEngine.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097226411.000000006CAC1000.00000020.00000001.01000000.00000005.sdmp, SetupEngine.dll.0.dr
Source:	Binary string: SetupUtility.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: SetupUtility.pdb5 source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: Setup.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4094321813.0000000000EE1000.00000020.00000001.01000000.00000004.sdmp, Setup.exe.0.dr
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: SetupResources.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097511959.000000006E321000.00000020.00000001.01000000.0000000C.sdmp, SetupResources.dll20.0.dr, SetupResources.dll10.0.dr, SetupResources.dll4.0.dr, SetupResources.dll11.0.dr, SetupResources.dll5.0.dr, SetupResources.dll2.0.dr, SetupResources.dll13.0.dr, SetupResources.dll7.0.dr, SetupResources.dll12.0.dr, SetupResources.dll16.0.dr, SetupResources.dll14.0.dr, SetupResources.dll18.0.dr, SetupResources.dll19.0.dr, SetupResources.dll3.0.dr, SetupResources.dll17.0.dr, SetupResources.dll1.0.dr, SetupResources.dll9.0.dr, SetupResources.dll22.0.dr, SetupResources.dll6.0.dr, SetupResources.dll0.0.dr, SetupResources.dll15.0.dr, SetupResources.dll21.0.dr, SetupResources.dll.0.dr, SetupResources.dll8.0.dr
Source:	Binary string: SetupUi.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4096935660.000000006C631000.00000020.00000001.01000000.0000000B.sdmp, SetupUi.dll.0.dr

Software Vulnerabilities

Source: winword.exe

Memory has grown: Private usage: 1MB later: 42MB

Networking

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Setup.exe, 00000001.00000003.1674388120.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1674301361.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic

System Summary

PE file contains executable resources (Code or Archives)

Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: SetupResources.dll7.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll11.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll22.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll14.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll17.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll16.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll19.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll13.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll5.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll9.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll10.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll21.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll18.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll15.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll12.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll20.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1623425541.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000002.4086062566.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642980054.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUI.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUtility.exe\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupEngine.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllX vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dll\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000000.1622920091.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe

Uses 32bit PE files

Source: ndp48-web.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@14/132@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\NetFxSetupMutex

Source: C:\Users\user\Desktop\ndp48-web.exe

File created: C:\Users\user\AppData\Local\Temp\dd_ndp48-web_decompression_log.txt

Jump to behavior

Source: ndp48-web.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ndp48-web.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ndp48-web.exe

File read: C:\Users\user\Desktop\ndp48-web.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ndp48-web.exe "C:\Users\user\Desktop\ndp48-web.exe"
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupui.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32

Jump to behavior

Source: Templates.LNK.2.dr

LNK file: ..\..\Templates

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Window detected: Number of UI elements: 15

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: ndp48-web.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: ndp48-web.exe

Static file information: File size 1439328 > 1048576

Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ndp48-web.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ndp48-web.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: sqmapi.pdb source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643088661.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097119067.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, sqmapi.dll.0.dr
Source:	Binary string: SetupEngine.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097226411.000000006CAC1000.00000020.00000001.01000000.00000005.sdmp, SetupEngine.dll.0.dr
Source:	Binary string: SetupUtility.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: SetupUtility.pdb5 source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: Setup.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4094321813.0000000000EE1000.00000020.00000001.01000000.00000004.sdmp, Setup.exe.0.dr
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: SetupResources.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097511959.000000006E321000.00000020.00000001.01000000.0000000C.sdmp, SetupResources.dll20.0.dr, SetupResources.dll10.0.dr, SetupResources.dll4.0.dr, SetupResources.dll11.0.dr, SetupResources.dll5.0.dr, SetupResources.dll2.0.dr, SetupResources.dll13.0.dr, SetupResources.dll7.0.dr, SetupResources.dll12.0.dr, SetupResources.dll16.0.dr, SetupResources.dll14.0.dr, SetupResources.dll18.0.dr, SetupResources.dll19.0.dr, SetupResources.dll3.0.dr, SetupResources.dll17.0.dr, SetupResources.dll1.0.dr, SetupResources.dll9.0.dr, SetupResources.dll22.0.dr, SetupResources.dll6.0.dr, SetupResources.dll0.0.dr, SetupResources.dll15.0.dr, SetupResources.dll21.0.dr, SetupResources.dll.0.dr, SetupResources.dll8.0.dr
Source:	Binary string: SetupUi.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4096935660.000000006C631000.00000020.00000001.01000000.0000000B.sdmp, SetupUi.dll.0.dr

Data Obfuscation

PE file contains an invalid checksum

Source: SetupResources.dll7.0.dr	Static PE information: real checksum: 0x85b6 should be: 0x11869
Source: SetupResources.dll.0.dr	Static PE information: real checksum: 0x6ea5 should be: 0x14bba
Source: SetupResources.dll1.0.dr	Static PE information: real checksum: 0xeaf1 should be: 0xf9e7
Source: SetupResources.dll11.0.dr	Static PE information: real checksum: 0x152f3 should be: 0xfcfd
Source: SetupUi.dll.0.dr	Static PE information: real checksum: 0x5bb56 should be: 0x580a0
Source: SetupResources.dll4.0.dr	Static PE information: real checksum: 0x15ab2 should be: 0x11a19
Source: SetupResources.dll22.0.dr	Static PE information: real checksum: 0x79e2 should be: 0x14200
Source: SetupResources.dll14.0.dr	Static PE information: real checksum: 0xb54d should be: 0xe4b6
Source: SetupResources.dll17.0.dr	Static PE information: real checksum: 0x74cf should be: 0xed2c
Source: SetupResources.dll16.0.dr	Static PE information: real checksum: 0x133a7 should be: 0x11cfc
Source: SetupResources.dll19.0.dr	Static PE information: real checksum: 0x664a should be: 0x6bd6
Source: SetupResources.dll13.0.dr	Static PE information: real checksum: 0xe0f8 should be: 0x12f83
Source: SetupResources.dll5.0.dr	Static PE information: real checksum: 0xff36 should be: 0x92e3
Source: SetupResources.dll8.0.dr	Static PE information: real checksum: 0x8bd9 should be: 0x12d34
Source: SetupResources.dll9.0.dr	Static PE information: real checksum: 0xda87 should be: 0x11fd2
Source: SetupResources.dll10.0.dr	Static PE information: real checksum: 0xccb2 should be: 0x10498
Source: SetupResources.dll2.0.dr	Static PE information: real checksum: 0x1120b should be: 0x9889
Source: Setup.exe.0.dr	Static PE information: real checksum: 0x241d1 should be: 0x2b297
Source: SetupResources.dll18.0.dr	Static PE information: real checksum: 0x108c5 should be: 0x81a2
Source: SetupResources.dll0.0.dr	Static PE information: real checksum: 0xc251 should be: 0x7278
Source: SetupResources.dll3.0.dr	Static PE information: real checksum: 0x130f6 should be: 0xfb6f
Source: SetupEngine.dll.0.dr	Static PE information: real checksum: 0xe3382 should be: 0xe90f6
Source: SetupResources.dll15.0.dr	Static PE information: real checksum: 0xc4a3 should be: 0x13cd1
Source: SetupResources.dll6.0.dr	Static PE information: real checksum: 0x53a2 should be: 0x586f
Source: SetupResources.dll12.0.dr	Static PE information: real checksum: 0x106a2 should be: 0x12659
Source: SetupResources.dll20.0.dr	Static PE information: real checksum: 0x14ea0 should be: 0xd534

PE file contains sections with non-standard names

Source: ndp48-web.exe	Static PE information: section name: .boxld01
Source: SetupResources.dll.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll0.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll1.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll2.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll3.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll4.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll5.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll6.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll7.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll8.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll9.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll10.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll11.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll12.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll13.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll14.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll15.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll16.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll17.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll18.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll19.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll20.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll21.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll22.0.dr	Static PE information: section name: .00cfg

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior

Malware Analysis System Evasion

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 9896

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ndp48-web.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: Setup.exe, 00000001.00000002.4096365834.0000000008480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Setup.exe, 00000001.00000002.4096712651.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"			Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\ndp48-web.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1431611
Product:	CloudBasic
Start time:	14:25:42
Start date:	25.04.2024
Sample:	ndp48-web.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	34a5c76979563918b953e66e0d39c7ef
SHA1:	4181398aa1fd5190155ac3a388434e5f7ea0b667
SHA256:	0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\5478d9557b6298dc63ac5974e1\1025\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (433), with CRLF line terminators	D8165BEB3B8433921D0D5611B85BFA35	BEF57E3511E18170EBBC9AE3AEFD73CE3F50F8F4	B092668E0825F7F498ACDC1BF10E1D2CB6CA99497389142CF9AF815F25A4B712
C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	51AD58DF739F0C0D005FE36B1350A6A3	25069B754778651E70E1FB1BCEBE04575361104F	E1CF3D22AA1DC94E58DD946D319D9D8AFC8B6BBA80EF3CA7575185B8F3CE435A
C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	13431FD86B4023B8E11695360B22169C	AF4F361DE88D390B27E8B6169AEF2C05FD6C2E00	AABCCC5B9E9FB2A2759C634CD94B8B5808BF9D32A46014C2F01E245405B84FEA
C:\5478d9557b6298dc63ac5974e1\1028\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F3A4FD6968658A18882CF300553F2F89	B75CCAEFF41BF9C8586BCA612550CB9DCA6B09EA	53742293B25149B19D8677B15F6424FC71E308014B1BCF883E6949D1DAB3961C
C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	751EFB8A557EC3DF620A1D3D91FC7E8E	4A82263312FC2343A55DBDB9935798BA8E31562E	1CE28FD9898191BD6B0DABBA472FBEA5E679F588F4DEB9DDD1755198F2919666
C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	4FE2BD1C6AB9896DB6FEC42A00B6BB67	7B3278A6B0BF6961230399EA94DDA7FB1CC3D596	4DB6D43C560CCC02D0ADB570D4675223286D7B1949FAC1C5A16FFD1C8835A814
C:\5478d9557b6298dc63ac5974e1\1029\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (447), with CRLF line terminators	D6801174849373CDE3F1D214D80FE834	50CAF47AA60B999CA7B43D3CEB75D0DBFFD2278A	CBB0DA2D1EFA7DE6736E67C978848D53ACF8B502BF3DAF43CE40B05076145A7C
C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0324FBF9214800146690EEEDDE905C30	81D204D02DA04854884E47A99C8B8D468AFA154B	22629C2BC84EE599C827825F84E47819BED1157BCEDEA11DDE0A854A4DE68DD1
C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	E0EEC490F52FE2AB10B75E354ABFFC87	CDCEA1632D1B42A08CE15919F0492CB35BA749ED	03E8EDE8A900D1E25414A5767980F8C2715B53D29CBFC40CE1B42075B175B0E1
C:\5478d9557b6298dc63ac5974e1\1030\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (418), with CRLF line terminators	03B1E582EC5454B2FA3599E788569DFA	75845ACDD04FB17011218B06FD7C28830641F021	59884541554376A26143B105FA924B9F9961254D22DB8DEDF7DE7F3495D7A1DD
C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	69CE7A41E23625A55819AD9BBCD45336	86E9766E606D8DFEDA61A4100517CDC16F1084F0	CFC1AC54D49CBCC43045484B6FC775E6FA3B063DA5D9B2A96606990309780384
C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	DCD287A517A6DD7A011B584FD5660811	249318666D6A3D0903F00C954DD1309AA6A59859	271152060662CCCEB3D2F6EDCAEAA9E003391975AADC6DD6B26648B8A084DBE1
C:\5478d9557b6298dc63ac5974e1\1031\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (509), with CRLF line terminators	AFB4B1D7103DDCA43EA723ACBCDD31FD	C4D95DFD4869DF636091E979C8B3BD7684004A48	961EFE11E9E3E553269CB14DC1B942E9AC68B86740D59AA35E4FF6E5913532DD
C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	62431931C0E7AEF5A55F831FD897C193	8E76BA228BB72DED1F6D04CE9BA7634A0567BD33	7ED80F565427EEB1A0DB93EE5D2691D4BC7EA6DAEAE881FCABA21423510866CA
C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	940967914EA121AAF09B119E37206A38	7AB2B55EBE42C242DBBE8F1821C138F52843793E	992280EEA0CB8CD63878356A350801632A63CA669C1720F361FF2922243E701A
C:\5478d9557b6298dc63ac5974e1\1032\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators	71BDB323A746A4ADAB9CE42498E937BC	8E58D4BA5623A50610BD99E82DF135708A9F130E	6C5A6E11A85C9E172E7748A9A9F19F8598870A63A103A7AC18CBBD0CDF026475
C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D30B31E0C9C97061A8E07DCB56B4C199	B48B248757C869C1186F6BF4EA3470A1E06C2222	D3DBEA64652620E74B73A67A63BE36085BFCA863A991B3022E322B6AC4D2347C
C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	E9A32E66AF5386F4EC50D6F822E57145	1798F05F60D087CAE4871D3F0DF99B2F121014F7	83D0876B44402760C3D31E58022AC84376CB9364F7E73984C8CADC9F18BA725C
C:\5478d9557b6298dc63ac5974e1\1033\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators	47703BED025228689A1032EDAE56B4C4	A2ABA33C7E8915025251574C81FE2E5AC6BC0893	05FC9352B918A710D51F68873FC522528265455B77014E8B0CD66C5E7AA71DC3
C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3F975E8BB4CD4ADB9B5D21B2DA436AB6	E017DD66CBD964228B3B9B84B14C892709FE3915	AB1D462944FDCB4AD2E6A4D37257F2FE2063744BB4E3DE55B4126DFB65D383FC
C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	47C47A12E6830B793150494D35D51637	87A11FECE572F2A57982270533D6906DAF7DA218	4399B24E28BECFB3BB2820DAA09965860001492145FD7E2466DA7B740C31855D
C:\5478d9557b6298dc63ac5974e1\1035\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (450), with CRLF line terminators	AD67691B3B5474154F65400E53DDFEF2	DC8DC683BF9FEE12A5AB7297789A5C087E98FACC	1E828840AE8728AC809624845597406D4025D6DA7797B38F02946A30A48BFE7C
C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DAEC777035B964E1C36E5C54420E7153	1D0AD100D2DAB9929251C3CDFCCFD822968259BB	5D0AEF595C1D4B3DC658C809F8F0540DC7F689CD03FCBFC566737EA2BF360E47
C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	42A6665773E6F9F5E9F6AE725C73565D	CC9D27AEC7FF248AA470646F43CDA329A836D598	CE98922719450764D7B2D8778DB5A267BF244B39599BB9699E9C15742E15BAA2
C:\5478d9557b6298dc63ac5974e1\1036\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (466), with CRLF line terminators	2C77CBAAF9C3ED0C4410C4B8C3C29C30	110775CA1C6E252B4E8C8BF39B593DFB4D66206C	AB3D5571B57B7BB705BFFE13F37BD73894B0D12D09CC1FB1B438493A863C324C
C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EBF7672BFE808CA0602D25FB6A5FA115	8A3F92679B87D919260C3B74C27E790A301BB25B	DA4151C2A7DA521F5CDBCE42F3C03A2DE90A49E0AEE82DF5F75211310C3743AE
C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	291BC09E4E69CD56426B4E63848BD967	5123736A141AE3DF1ACBA60A3F4C613DEBE7A3DB	93FEF896B04650014F4A869D853E030EE3B00CED642FED928141F29123AE8140
C:\5478d9557b6298dc63ac5974e1\1037\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (368), with CRLF line terminators	631011D665AD08220FE248D9F8A103BA	652C56998D0E8BF0C43F136FD90C69728BB0E111	E9877973BEF23498B586A9CF03230FC45A9EA8A3F75DECFA062B03BD31974B06
C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B5DC9BDF9BC1EC4A3ECA070FAB6A3B68	22DC867D4C6175B78A3F389EB0B16B57F13BF397	40A437A3B225EE79A82BC36304CFDAB4E7CD7455B3A15AEA6BAD1BD7E87AAE9B
C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	1AA6E136CAEAE287EFF59D64281451FC	57C5384003360E539CAD84F1B242A636CE399895	A90EB5E94F3A7CA6D30F849C47DD6C35B0599FE66AF50A29C029520B81B2B434
C:\5478d9557b6298dc63ac5974e1\1038\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (490), with CRLF line terminators	28E8A2833F3D5302A1F5C2A84FA8990A	08977251EB62C6DF447C6754B2EC27A73D9071F1	E4261C9B8C779D58883820A531A19594D238F0CA9ECAC399505C569B0CCCDBC7
C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	150AD95506943E5720F82F21C332FA5C	B02F177051570D3BFECC608317EFDD0ED6022E98	35AE5CC953DF1069BEAB0F0FD2A000C6F07F0361D9C7B7A20FD34C456D136B5E
C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	D1169D1DC40442766F68165855A3A1D2	A1A817E8DDDAE958D944102A6076E07E3F326152	50A534D5B14C6BE2C9AB6D538C7BD201A82504D34FCA379D7C52C49CD127EFC6
C:\5478d9557b6298dc63ac5974e1\1040\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (465), with CRLF line terminators	E74A35A00E0228DE37EE911F93411ED2	C1C0901EB552C21CE2817B7EDB94AF611B571A49	2EC36FB871853F60085BC972E08156483384F8C1D6E000F5DB1CC8CCCAD05F8C
C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	002B3CDF42B65A6FC508FDA46C82502F	A2858216EE2EAD168EF2A279E855ADE7787AB2BE	2F15225D2430C54788EA9A34DDC06AE609F25436B7BDB151C95316A09D3CE251
C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	2FBA51E419F1A5272244DCA1BB6FA8D1	A43ADED44A95078B8FFA74085D8424CAECC327CE	8374535E147AB71B9F149E74E77FCCF3282FFA9257565CD4AF6DB471C47E9231
C:\5478d9557b6298dc63ac5974e1\1041\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (323), with CRLF line terminators	32E4D6F895A69BB2C373FF4C688D6B27	57738235363C5F1A1C5651C65832396E3AEF4414	AE28910C1EF16CE70A5E97C5D02390AD8D64F80966E2BE3C4A56DB0C4038442D
C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2191BD92ABAF3D2094AD58EA59793C56	C55969BCD8309A9DC36650068F5652EFCF813DB0	AA885980EABCAE6A41849E4C6E670A482F2B58CA94586AEF1F7EDCD899E8EDB3
C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	878C601A8EE79D8BC27DADA595F406A5	E9165C7745D9801D868B799B2D6212169A640573	3BE9621F436874877D799A19EA638955616EF2B5B20A121C3E2105A82569D83C
C:\5478d9557b6298dc63ac5974e1\1042\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (336), with CRLF line terminators	47F8082069C52D2F7DB1FC6AAC2886DF	4B5C371E9006C10685F2C59CA9A7EBFB4A597A0A	E86656EF2092C0E6CAF5B8B0BCA2D6CE5DEF273609C22187AE91236605D2E273
C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	62916FB4601EC606FAF0AF963E11B621	5C711ED1EB16A8FA76EFDF5E7BEC2E1EE8AA9AA1	F24C7D743680A233C4A97578E08D2384CCAC16CB29AA550D3F33D6D80E9FADFC
C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	A404BE4F47FA7DB29DF4023E2F75034E	9141A326F0D421CDC913E2DD9839398FB8F8480B	824C88479FF2A887E23838A03BD41C5C6F5C20F9CD3031FF2B2897529A1F39F6
C:\5478d9557b6298dc63ac5974e1\1043\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (465), with CRLF line terminators	E939717E7EAF1B7F53C4B752E62A22E7	CA5A66C452EC6CA8BC04DE95EAC1616CF3980992	8AFDF3D2C0FD2370889E3FD96BC2742831CDC6041AF0A407123C27F8D76D68A6
C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6B5DA66D58CBB93AB58508E39762DACF	01F052C63B33EB77C7CA6E3BB7F85D748E90C4B7	EF9D89D9FB91B28006D88A7314B25334EC9484B045C1EF1E360D190E57411271
C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	26B16F6395F6469DA2CCE621BA66C7F3	E0A4A64B018A8A4FA07B92E6277534EFB7A6840E	D6547D3047F7B606CF84CCBED44C5047C0E3F6FEECFEB7F0A87EE451FC2FF7A7
C:\5478d9557b6298dc63ac5974e1\1044\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (402), with CRLF line terminators	B0D9E4DAC3935BB596BB83B7D8474F8F	29CE971B1A3CCF6F09ECED6BFF8E778DF13F3D35	3C309A5509D42E6485E9123BC6AF5EC43CF2FAA8AFEAD5062676E85AB7F96ADD
C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D681E1D3708566488A2C68AF355C58AF	4DCDC8730DF86829A066720EC49D7ABF54E90CBC	879337C0A6A94F8961064D5E286C140D9FF57382147A0E2CB622322261A9A123
C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	3C9F4B239DDC64151765EDDF658E788F	9BE17903A7B604CA4A91AB1417207CC73FF2EFFA	91D3D81F8E0663200D4A6FA6689CC6936C50DB001514FE803A638B861196997A
C:\5478d9557b6298dc63ac5974e1\1045\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (469), with CRLF line terminators	C3A238FFBF2DBB9F758E5C5B33948971	56CEB241F3780DC4A9814332F44369188DED3E77	2F0BEBA8A56CCCADDFE6E0ECC3130D0EFAFB7F84CC0FA4E8DB9D85C840E24241
C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59708860CD9FB256669A9D9E2E0D72CD	7AD8568CCD88D311173EA4477876BE8581BB76AD	D86286C5FE73A46F1240A6177E7F9144757E0EA97060344F6C3609322C96B568
C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	A5A99B184ADEA12986B1283D7E6B5365	D477FFBA3C9199A0C74DC688AA41CC4D06530829	0E931904C4C9BEDE08BEE5985A5912351EFB927787941E33E174EC9373F81476
C:\5478d9557b6298dc63ac5974e1\1046\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (426), with CRLF line terminators	4A892AA3FEDBFE5991B6FF46C00AF55C	421FE8F80432C56D022FF2911C4A5708093184C3	AADBD1DF74FC82A43F86F1F40D5065A802B2DB71652525A78D258FDA3197A743
C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	157DA28C4DEC27279322A99D90A27DFA	8E9928BAE175E16CA21A5F3D101DABE9C8BD7F32	B67BC7E8532AC429152877F368CAB07CE7D78BF49B144A2E188792C05D47AA38
C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	4F7E0CF0AB641752ACF8168B7AF115C2	99AC6551112C1F308B4C939F75C73A098E2EC7C3	F714F0963E1CE7C6A73B27585EB6B197E29875E195B97885737817E51DED42AD
C:\5478d9557b6298dc63ac5974e1\1049\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (463), with CRLF line terminators	D46F34E95E94FBFA4CB4A8DCC7BA3211	3E2150C9DD44C4B3416051534CCF84968F2737CD	A787B2F493C3248991877F61E210BB0231D357D06AA2671917D2AD4E528C9F67
C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4F22E1307E1EFC6AB3908F768BC6EC3A	B440F5EBE429B3D3B872DFAE021C15675DD7D7B5	47D5FDFBD54DD07718DFE9A8C2EB25997D77E67697DB3938BC616C1B552F4D24
C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	C0A21ED9322DFA67AB5D71CC576982A0	74896F49DCE77069854F5B320C0C8D412BE676D6	1EA50FA040F7FE2E420039646C1A3F6F99756D7B1159CE1002A148C639761650
C:\5478d9557b6298dc63ac5974e1\1053\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (433), with CRLF line terminators	CB2E2EDF7D7FEFDE9B3894923407F8C0	541EC570F26BB30F4BE35F1A87D4CCF6BC660F67	874E5D7E45603AD70CA353E8DC6BF42944594F911D17C79BE8966DC01D27EB73
C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B776D2EB2E66BB1DE5FC737704173460	5D66C04A49D4D3291DE33F7B945328025804E297	FCD13D65B8CFBE2035CC63D10BB5C7F2558967E61CE605FB88F413819303077B
C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	FF3F5628B4B3E988D1EE082CD4F514A7	6C40FAE2124C630D05D0EB6F1B5A7F4901D05D0E	C920E7CD21DB8FF2822048023B6530815CA4537B5557B1482E8B8CA4A7798A70
C:\5478d9557b6298dc63ac5974e1\1055\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (452), with CRLF line terminators	F020B0E38F1295924F1833E77859FC9A	17467F2EBB8CBCA89119D30B3BA7AE30691921E1	8CE790ECA06BAE1B01F40F732580ADEA86D4C22B28D1E701E033C6C9983500C2
C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C9DFDA8948680ECC97A8BBE2F97114CB	130B97562C2A45A3A87784E6B3A6818755A09C83	F008E0A673EBD471AF052C4F8259BFBFB9F028C203E96B18D53A179BF5017703
C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	1604BE6036737CE1701330A4F54917EC	02E9ED8FFCD35B22DB9ADA931FFAFEBEF9B967E6	50C95114D6340431FAC2F752844B9E5C08024A88E464B1D4AFDE460545A3A3CF
C:\5478d9557b6298dc63ac5974e1\2052\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	6CC370B95C9F3E3D28315759B496E977	09E4AAD0A389F0F876D21E132123DBBD83DC1314	93E519E8CC173A3F1AA8DD8113AD4A1BE0B5B8D40E1D0A1563DBA2054B50433A
C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F67D13820BE86A0BDF9D6DDE2FA400A1	F9B2FFA3F1EE870E49B494A585C49B212CE907CC	E9733A3FE748058D474923B9DE7FE1A6F4BAAFD0B592D72D05D0A6A69B3CA574
C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	F05B0D04CD20864FFCFECDEE13949D58	B65A5CCBF46A9E078B175EF82BD978DEFCE8DEE3	F2508D347BBC11784AD33C9FAE913C243198F9517CC9743BE56C74F28587B9A9
C:\5478d9557b6298dc63ac5974e1\2070\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (445), with CRLF line terminators	5B73409A0F1CBB707CD62A7956BC2F92	1CE52FD3746C5BEE7A3C3EF5AA8958E44B8761E3	193090F4472F1A1C5ED10AB97FA4BF77BD4FF3F172F380EF4A53FEF39989159A
C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CD5ADC3856F5E244983F884ADD4B0974	38ACFFA5637059EA03BC66B210E75DD349E03589	6E8B50BB4F2DF7FB6C104FDE197253250BEF65459C897224A2284DAD223313E4
C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	D611F7F4978F3960627E889316C4ADDF	A4FB1EA1FB64BFDF2B850947F4B7254BE2E01D31	803C4739D74B27A72754607AD69C41A4C311CFDBADA1A6BFE8FA47B31A9E74C6
C:\5478d9557b6298dc63ac5974e1\3082\LocalizedData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (436), with CRLF line terminators	E2FC9D2A4FC56B64E3981DD7E0B076D5	1660468AC360A0A52F1A84887A9BB9C6CA3C9D8D	9E224A5F7A5C83DF1AB31743520A05252C3CDCC9E97526264DA716166D2B29F9
C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	328EBD40C9DABF91A88D883E3A38186B	E5A1BA4F20DB499FFBB192BBCCF41331DBB13BAF	65EBEBE480072ACBE8B9D5E9D129472301638244C96793B2C815A12F5B9333AE
C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	078313B7397CA95EF02B96A79EE53FA5	DD52C2B72569CDE270A2153C616F90E45E290BB6	5ED152A56E2E0FEF7827864D5B7998CF95CCC5492250E419B0D29027B8AF512C
C:\5478d9557b6298dc63ac5974e1\DHtmlHeader.html	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CD131D41791A543CC6F6ED1EA5BD257C	F42A2708A0B42A13530D26515274D1FCDBFE8490	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
C:\5478d9557b6298dc63ac5974e1\DisplayIcon.ico	MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel	F9657D290048E169FFABBBB9C7412BE0	E45531D559C38825FBDE6F25A82A638184130754	B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
C:\5478d9557b6298dc63ac5974e1\Graphics\Print.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	D39BAD9DDA7B91613CB29B6BD55F0901	6D079DF41E31FBC836922C19C5BE1A7FC38AC54E	D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate1.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	9B70C7FA81DCA6D3B992037D0C251D92	83A11F4B7A5020616257FEF143A7C32164D3927C	18226B9D56D2B1C070A2C606428892773CB00B5B4B95397E79D01DE26685CCD4
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate10.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	0CCA04A3468575FDCEFEE9957E32F904	AE5A03B47DF97F5F1B14DCA3539A1C4B0F407F15	B94E68C711B3B06D9A63C80AD013C7C7BBDB5F8E82CBC866B246FF22D99B03FE
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate2.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	F824905E5501603E6720B784ADD71BDD	D71B15E1168306C1E698250EDC5F99F624C73E6F	D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate3.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	0ADE6BE0DF29400E5534AA71ABFA03F6	6DDE6E571B2FA45AB2CACF565E488ECACE01DB56	C2F6FAA18B16F728AE5536D5992CC76A4B83530A1EA74B9D11BEBDF871CF3B4E
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate4.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	267B198FEF022D3B1D44CCA7FE589373	F48215DF0F855328509A47C441A14E3578A20195	303989B692A57FE34B47BB2F926B91AC605F288AE6C9479B33EAF15A14EB33AC
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate5.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	25F0D572761CB610BDAD6DD980C46CC7	6270EE0684700C5A4D01CD964DC05B82719B0370	CE2AFC0AA52B3D459D6D8D7C551F7B8FBF323E2260326908C37A13F21FEE423E
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate6.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	5AC2B8E1A766C204F996D9CE33FB3DB4	09CBABDD17A5A0215AD5D5AF509EA9EC315373B6	EE387D9642DF93E4240361077AF6051C1B7E643C3CF110F43DA42E0EFE29A375
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate7.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	B4947D242AB4A902031FCD1FFD3A56CD	4014A05642118A306C742F56878DB1EA61E78B6B	995C9F4EA0D98C0C4E5037EDE43FC44A680D85CB1E37C782ADAB775915E975B8
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate8.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	E7A252C763CE259F800183FD9DD1F512	4601C87F90E1C0061A7137370358AE11A4D83A23	FDE052EFE70C27D8023065F0859627FC88BF86E166016E9CB00185C21DE52742
C:\5478d9557b6298dc63ac5974e1\Graphics\Rotate9.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	8853DA1F831CAE28E59D45F5E51885AC	496EEFCFA68DE25ABB899ADDF39498D8420BFA3D	0203C7D678464641C016DC3D658ABA0A68F20B9A141D6E3EE1820C5B8B6401DB
C:\5478d9557b6298dc63ac5974e1\Graphics\Save.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	C66BBE8F84496EF85F7AF6BED5212CEC	1E4EAB9CC728916A8B1C508F5AC8AE38BB4E7BF1	1372C7F132595DDAD210C617E44FEDFF7A990A9E8974CC534CA80D897DD15ABD
C:\5478d9557b6298dc63ac5974e1\Graphics\Setup.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	6125F32AA97772AFDFF2649BD403419B	D84DA82373B599AED496E0D18901E3AFFB6CFACA	A0C7B4B17A69775E1D94123DFCEEC824744901D55B463BA9DCA9301088F12EA5
C:\5478d9557b6298dc63ac5974e1\Graphics\SysReqMet.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	889472312E724195D7B946EECAEA20C1	D099C44B794F7D0414CDA5BA9A6DF432347FF513	C9CA53F83A5CC10F726248D47FF82981B584B3FF62EE591229A8237C11340991
C:\5478d9557b6298dc63ac5974e1\Graphics\SysReqNotMet.ico	MS Windows icon resource - 19 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 48x48, 16 colors, 4 bits/pixel	ECA24331CE0850D188BD2EB5C22DE684	53E910C03AA6BC423717C5B175670517F26F00A4	DEBA0A7A6E2CA99D3380D35AE33F8D266806FDBCBF75FB06B5718BE5873258F6
C:\5478d9557b6298dc63ac5974e1\Graphics\stop.ico	MS Windows icon resource - 36 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, -128x-128, 16 colors, 4 bits/pixel	7D1BCCCE4F2EE7C824C6304C4A2F9736	2C21BF8281AC211759B1D48C6B1217DD6DDFB870	BFB0332DF9FA20DEA30F0DB53CEAA389DF2722FD1ACF37F40AF954237717532D
C:\5478d9557b6298dc63ac5974e1\Graphics\warn.ico	MS Windows icon resource - 36 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, -128x-128, 16 colors, 4 bits/pixel	C8824EA3CE0A54FF1E89F8A296B4E64B	333FEB78E9BB088650CE90DEA0F0CCC57D54A803	4BB9EA033F4E93DBF42FC74E6FAF94FE8B777A34836F7D537436CBE409FD743F
C:\5478d9557b6298dc63ac5974e1\ParameterInfo.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (614), with CRLF line terminators	8E8C25B11FFE1D7BC70E2A31600EDA7A	1452B55EF634E4E5B002CE302702D0C50487FF6C	A2BEC4E2AFD573422045C8C2F461166508535E67ABD32942D4D6FBED77B9FAF8
C:\5478d9557b6298dc63ac5974e1\Setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	057CE4FB9C8E829AF369AFBC5C4DFD41	094F9D5F107939250F03253CF6BB3A93AE5B2A10	60DD7D10B3F88F1B17E39464BB2D7CA77C9267B846D90CF5728A518A117BD21B
C:\5478d9557b6298dc63ac5974e1\SetupEngine.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F9618535477DDFEF9FE8B531A44BE1A3	C137A4C7994032A6410EF0A7E6F0F3C5ACB68E03	236BF2B5CF6014B8EE22484AFE172ACE512CC99DBA85080B082D47E9E189EA5C
C:\5478d9557b6298dc63ac5974e1\SetupUi.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6F51E9B469F95EDB9156C74B4B0F4E1B	5224C3DE0FA4895297898F76ED5647EF40D924F8	9FD4639955338928731A8AB6E131175949A179931B8C9D4FCADD2367D749B826
C:\5478d9557b6298dc63ac5974e1\SetupUi.xsd	XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators	A9F6A028E93F3F6822EB900EC3FDA7AD	8FF2E8F36D690A687233DBD2E72D98E16E7EF249	AAF8CB1A9AF89D250CBC0893A172E2C406043B1F81A211CB93604F165B051848
C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2A20FF4988DB90AE0632D898916950CA	F822B12F4EFB31A99EC4DF9A4D9C9806C55648FA	289E23983692BDBD58AB0CB3B1668B5158D90A9937721185A75247A44D0C3243
C:\5478d9557b6298dc63ac5974e1\SplashScreen.bmp	PC bitmap, Windows 3.x format, 200 x 200 x 24, image size 120002, resolution 11808 x 11808 px/m, cbSize 120056, bits offset 54	BC32088BFAA1C76BA4B56639A2DEC592	84B47AA37BDA0F4CD196BD5F4BD6926A594C5F82	B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7
C:\5478d9557b6298dc63ac5974e1\Strings.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8A28B474F4849BEE7354BA4C74087CEA	C17514DFC33DD14F57FF8660EB7B75AF9B2B37B0	2A7A44FB25476886617A1EC294A20A37552FD0824907F5284FADE3E496ED609B
C:\5478d9557b6298dc63ac5974e1\UiInfo.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C99059ACB88A8B651D7AB25E4047A52D	45114125699FA472D54BC4C45C881667C117E5D4	B879F9BC5B79349FA7B0BDBE63167BE399C5278454C96773885BD70FBFE7C81D
C:\5478d9557b6298dc63ac5974e1\header.bmp	PC bitmap, Windows 3.x format, 49 x 49 x 32, image size 9606, resolution 11808 x 11808 px/m, cbSize 9660, bits offset 54	41C22EFA84CA74F0CE7076EB9A482E38	8E4A371FD51A61244D11C4FC97D738905CE00FBB	255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750
C:\5478d9557b6298dc63ac5974e1\sqmapi.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0C0E41EFEEC8E4E78B43D7812857269A	846033946013F959E29CD27FF3F0EAA17CB9E33F	048D51885874D62952E150D69489BCFB643A5131CE8B70A49F10DFB34832702C
C:\5478d9557b6298dc63ac5974e1\watermark.bmp	PC bitmap, Windows 3.x format, 164 x 628 x 8, image size 102994, resolution 3779 x 3779 px/m, cbSize 104072, bits offset 1078	B0075CEE80173D764C0237E840BA5879	B4CF45CD5BB036F4F210DFCBA6AC16665A7C56A8	AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	0D6149F295BC82FBBBFFF19AD17A70FE	C7BEBBEBCBAF7DADE8724EF23EF68FA8ABDC3C14	199914F559E86057F580CB661EE694B6D9BAA7BA027BAF6C14332FF5D132D748
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json	JSON data	036628E3E3F0728DAA7D53AC1B3EF8CC	65327D9039335E1BAF9E14639AE355195766C9EC	2CAEC4D00BD356241B8B405B1B74386C677D501A7A23CE6EF916EAF912541544
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_39.ttf	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_39RegularVersion 4.39;O365	1BE236301B686323302632C0EACCFD6F	7EF18B642DBFA9FB6E8AFABACB50F6CA6BD73BB4	90200D640623BFB0518B18D72C3F9828BC6EDA63EAB2DA90FBC27A08AAD165D7
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres	data	EC3C5A0432D63824E959B316E782187F	11BDCBBE3FC704ACA83585F56CC8F809410BB16B	0476A7D6D8E169D190E1E5792AB1217B9B4ED79EECEA0A5BCB916C984C1E0CAD
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres	data	65A143DF329CFA66B47A91C06A7EA2F0	08F201E9CAED250178EDB0C1040FAE72C614C3EB	1631CC82CDD92C112CB39F8A4F9B4C205C5CCA596D06185E02ABD6F0987C8E40
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{2A6588E0-AFBF-4908-A1BC-871D735D026A}.tmp	data	8B897AFACDF983781325C1A5E15E3C39	F210C3EAC93F139FB13FC0D4B5B3E5B7E261B005	FD355AA377417480C68BB11F0664397F2D12AD2AF428B11BDBB4C562C8763ABB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C03101DC-DE7C-4BC5-B6EA-ADD2937839D3}.tmp	data	830FBF83999E052538EAF156AB6ECB17	9F6C69FA4232801D3A4857C630BA7A719662135A	D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{ED74DD25-E671-4FF2-8D67-F75C794FE621}.tmp	data	8B897AFACDF983781325C1A5E15E3C39	F210C3EAC93F139FB13FC0D4B5B3E5B7E261B005	FD355AA377417480C68BB11F0664397F2D12AD2AF428B11BDBB4C562C8763ABB
C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf (copy)	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057	3E6FC45076A192B91BE2451C152593E0	CE9F2D509148EC7CCF7E571C0DD0D9E416136736	5785F21E3A0AA016D125747F8EFD038EAC8D65F379C398B4F557CAC992DF3D33
C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf (copy)	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057	3E6FC45076A192B91BE2451C152593E0	CE9F2D509148EC7CCF7E571C0DD0D9E416136736	5785F21E3A0AA016D125747F8EFD038EAC8D65F379C398B4F557CAC992DF3D33
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714047998000409300_DEFC2796-1969-4D82-9A6E-BDF1716E8B05.log	ASCII text, with very long lines (1338), with CRLF line terminators	E72D363B76572E75993530BD9B453919	5E1E0826273A3304061A888A236E7B421B171FEC	E25A34E35FA85C18B78D3303D7446A39B439CBED8F0EF326E4E40470A1BE4A0E
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714048002251334800_2456171E-DE2C-4FFA-9FE1-A08ACD6ABD24.log	data	D8105A47EE583CF68E3A965A30863E36	A390EF24D3B3B1D3BF40BA498F74366DFB6B195B	7CD80F676208CAA192B63F07F158047DB8EA7A364D765B094BC8EFEC3A3515B1
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714048002251967100_2456171E-DE2C-4FFA-9FE1-A08ACD6ABD24.log	data	8F4E33F3DC3E414FF94E5FB6905CBA8C	9674344C90C2F0646F0B78026E127C9B86E3AD77	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
C:\Users\user\AppData\Local\Temp\HFI6F15.tmp.html	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CD131D41791A543CC6F6ED1EA5BD257C	F42A2708A0B42A13530D26515274D1FCDBFE8490	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
C:\Users\user\AppData\Local\Temp\Microsoft .NET Framework 4.8 Setup_20240425_142634789.html	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (389), with CRLF line terminators	DE5934E7B046748AA4752253FF0D6035	3D67638B81B9624BD413664958A0404029F40BFD	6711B98F24251EDD76ED536458E97A4396D93D60BE4075C96CA01C2691D607C5
C:\Users\user\AppData\Local\Temp\Setup_20240425_142630461.html	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (389), with CRLF line terminators	C9CCF1ECDA7DC84C08E30D5E2AC1C5FB	946C119163358F77CDE168E08F3073DC87D07F4A	70C9B6DC0990BA118FB943D92B3D5F1B3FA22B0F66A5C847948E68D73A262DAD
C:\Users\user\AppData\Local\Temp\TFR854F.tmp	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057	3E6FC45076A192B91BE2451C152593E0	CE9F2D509148EC7CCF7E571C0DD0D9E416136736	5785F21E3A0AA016D125747F8EFD038EAC8D65F379C398B4F557CAC992DF3D33
C:\Users\user\AppData\Local\Temp\TFR9B98.tmp	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057	3E6FC45076A192B91BE2451C152593E0	CE9F2D509148EC7CCF7E571C0DD0D9E416136736	5785F21E3A0AA016D125747F8EFD038EAC8D65F379C398B4F557CAC992DF3D33
C:\Users\user\AppData\Local\Temp\dd_ndp48-web_decompression_log.txt	CSV text	DCB212ECAFCA6B81B21F176FFDB85B6E	563272BAA39F6F25CC9497837E13E8BDC641356F	02615184AA4B7A4580CE1BA7A072C92F815CE1174A31AE2D3458789DED7301DC
C:\Users\user\AppData\Local\Temp\~$ockersInfo1.rtf	data	667E2C1CCDF2F9C4DC30A961E4362AB4	D096A1D787161948934C99364004D8C6EA7FD199	4EE0085BD621FA5E9592ECDA5FFF6467785BB28975018F95592A4CC102380DB7
C:\Users\user\AppData\Local\Temp\~$ockersInfo2.rtf	data	6CE48C0D8E9102F74AD235DDC72792C2	10C821BC2CA584DDE1808270F5AB7CD4EEBDA477	AFE1822DA215B874CEA471BA18C5305EFF44A215E3C46F057E7936F7B2B91358
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl	data	BB60905373DD750F890489DBFFBACF2F	A323605502252AC49BCA09D3D6A8E97ADF4CDAAA	B2082B1C0B4CE7F9FC8DA4666C0A146ACEC50ABE2B98206888454583DE668643
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Thu Apr 25 11:26:37 2024, mtime=Thu Apr 25 11:26:40 2024, atime=Thu Apr 25 11:26:40 2024, length=0, window=hide	835FF1CDEF5E4942E6BAB0C3D67EED54	08BFB125C0FA2D2D9A3CC832C996C1B09CBF101E	7D9AF1E3B71C1CE1FBAA457EAE623D9DFFEFA1C1F030B2B1AB57B00ADB12B084
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	4E30A3397E81DD38A188E78FC94E5A77	95E2EFA493065E02C7370BEFBE5A4BC1340CF5EF	DDD0B5A9B8BD9275DDD6BD1D9D033C56734A5BB184B4371E50C2200B903397CB
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm (copy)	Microsoft Word 2007+	E20C79F97B24C273AB7715C9ACD88E8E	BC2D66C6FBF10B1AD391D54B5D3A4B2275EF764B	7CE0303CA5FC3ABE5971F6C16C9DB3AA7C5F81AB67712DA812792A086955F24F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	5E3B8FF4B35B75CDBA7CE7E2317C71B9	720E1BA558DACAF08FD02F831F90DAFFC356AACD	50DF2A78AFAD42AE16899047FA1CACC92FB659D8BCCDBE408D41C41ABF0546F6
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp	Microsoft Word 2007+	E20C79F97B24C273AB7715C9ACD88E8E	BC2D66C6FBF10B1AD391D54B5D3A4B2275EF764B	7CE0303CA5FC3ABE5971F6C16C9DB3AA7C5F81AB67712DA812792A086955F24F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D3HZ3LTKKPLIUW81BSEJ.temp	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5

Windows Analysis Report ndp48-web.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
ndp48-web.exe