Edit tour

Windows Analysis Report
ndp48-web.exe

Overview

General Information

Sample name:	ndp48-web.exe
Analysis ID:	1431611
MD5:	34a5c76979563918b953e66e0d39c7ef
SHA1:	4181398aa1fd5190155ac3a388434e5f7ea0b667
SHA256:	0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	48
Range:	0 - 100

Signatures

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

ndp48-web.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\ndp48-web.exe" MD5: 34A5C76979563918B953E66E0D39C7EF)

Setup.exe (PID: 7548 cmdline: C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web MD5: 057CE4FB9C8E829AF369AFBC5C4DFD41)

WINWORD.EXE (PID: 7652 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

splwow64.exe (PID: 7864 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

WINWORD.EXE (PID: 3484 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

splwow64.exe (PID: 7520 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

splwow64.exe (PID: 7936 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7652, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\eula.rtf	Jump to behavior

Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: sqmapi.pdb source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643088661.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097119067.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, sqmapi.dll.0.dr
Source:	Binary string: SetupEngine.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097226411.000000006CAC1000.00000020.00000001.01000000.00000005.sdmp, SetupEngine.dll.0.dr
Source:	Binary string: SetupUtility.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: SetupUtility.pdb5 source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.0.dr
Source:	Binary string: Setup.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4094321813.0000000000EE1000.00000020.00000001.01000000.00000004.sdmp, Setup.exe.0.dr
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: ndp48-web.exe
Source:	Binary string: SetupResources.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4097511959.000000006E321000.00000020.00000001.01000000.0000000C.sdmp, SetupResources.dll20.0.dr, SetupResources.dll10.0.dr, SetupResources.dll4.0.dr, SetupResources.dll11.0.dr, SetupResources.dll5.0.dr, SetupResources.dll2.0.dr, SetupResources.dll13.0.dr, SetupResources.dll7.0.dr, SetupResources.dll12.0.dr, SetupResources.dll16.0.dr, SetupResources.dll14.0.dr, SetupResources.dll18.0.dr, SetupResources.dll19.0.dr, SetupResources.dll3.0.dr, SetupResources.dll17.0.dr, SetupResources.dll1.0.dr, SetupResources.dll9.0.dr, SetupResources.dll22.0.dr, SetupResources.dll6.0.dr, SetupResources.dll0.0.dr, SetupResources.dll15.0.dr, SetupResources.dll21.0.dr, SetupResources.dll.0.dr, SetupResources.dll8.0.dr
Source:	Binary string: SetupUi.pdb source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.4096935660.000000006C631000.00000020.00000001.01000000.0000000B.sdmp, SetupUi.dll.0.dr

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Setup.exe, 00000001.00000003.1674388120.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1674301361.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic

Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupResources.dll10.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SetupResources.dll7.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll11.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll22.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll14.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll17.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll16.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll19.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll13.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll5.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll9.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll10.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll21.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll18.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll15.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll12.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll20.0.dr	Static PE information: No import functions for PE file found

Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1623425541.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642873053.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000002.4086062566.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1642980054.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUI.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupUtility.exe\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupEngine.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dllX vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupResources.dll\ vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.dllT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1641788908.0000000006102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000000.1622920091.00000000000FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe
Source: ndp48-web.exe, 00000000.00000003.1643183335.0000000000CFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqmapi.dllj% vs ndp48-web.exe
Source: ndp48-web.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs ndp48-web.exe

Source: unknown	Process created: C:\Users\user\Desktop\ndp48-web.exe "C:\Users\user\Desktop\ndp48-web.exe"
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ndp48-web.exe	Process created: C:\5478d9557b6298dc63ac5974e1\Setup.exe C:\5478d9557b6298dc63ac5974e1\\Setup.exe /x86 /x64 /web	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf"	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ndp48-web.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: setupui.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ndp48-web.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SetupResources.dll7.0.dr	Static PE information: real checksum: 0x85b6 should be: 0x11869
Source: SetupResources.dll.0.dr	Static PE information: real checksum: 0x6ea5 should be: 0x14bba
Source: SetupResources.dll1.0.dr	Static PE information: real checksum: 0xeaf1 should be: 0xf9e7
Source: SetupResources.dll11.0.dr	Static PE information: real checksum: 0x152f3 should be: 0xfcfd
Source: SetupUi.dll.0.dr	Static PE information: real checksum: 0x5bb56 should be: 0x580a0
Source: SetupResources.dll4.0.dr	Static PE information: real checksum: 0x15ab2 should be: 0x11a19
Source: SetupResources.dll22.0.dr	Static PE information: real checksum: 0x79e2 should be: 0x14200
Source: SetupResources.dll14.0.dr	Static PE information: real checksum: 0xb54d should be: 0xe4b6
Source: SetupResources.dll17.0.dr	Static PE information: real checksum: 0x74cf should be: 0xed2c
Source: SetupResources.dll16.0.dr	Static PE information: real checksum: 0x133a7 should be: 0x11cfc
Source: SetupResources.dll19.0.dr	Static PE information: real checksum: 0x664a should be: 0x6bd6
Source: SetupResources.dll13.0.dr	Static PE information: real checksum: 0xe0f8 should be: 0x12f83
Source: SetupResources.dll5.0.dr	Static PE information: real checksum: 0xff36 should be: 0x92e3
Source: SetupResources.dll8.0.dr	Static PE information: real checksum: 0x8bd9 should be: 0x12d34
Source: SetupResources.dll9.0.dr	Static PE information: real checksum: 0xda87 should be: 0x11fd2
Source: SetupResources.dll10.0.dr	Static PE information: real checksum: 0xccb2 should be: 0x10498
Source: SetupResources.dll2.0.dr	Static PE information: real checksum: 0x1120b should be: 0x9889
Source: Setup.exe.0.dr	Static PE information: real checksum: 0x241d1 should be: 0x2b297
Source: SetupResources.dll18.0.dr	Static PE information: real checksum: 0x108c5 should be: 0x81a2
Source: SetupResources.dll0.0.dr	Static PE information: real checksum: 0xc251 should be: 0x7278
Source: SetupResources.dll3.0.dr	Static PE information: real checksum: 0x130f6 should be: 0xfb6f
Source: SetupEngine.dll.0.dr	Static PE information: real checksum: 0xe3382 should be: 0xe90f6
Source: SetupResources.dll15.0.dr	Static PE information: real checksum: 0xc4a3 should be: 0x13cd1
Source: SetupResources.dll6.0.dr	Static PE information: real checksum: 0x53a2 should be: 0x586f
Source: SetupResources.dll12.0.dr	Static PE information: real checksum: 0x106a2 should be: 0x12659
Source: SetupResources.dll20.0.dr	Static PE information: real checksum: 0x14ea0 should be: 0xd534

Source: ndp48-web.exe	Static PE information: section name: .boxld01
Source: SetupResources.dll.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll0.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll1.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll2.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll3.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll4.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll5.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll6.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll7.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll8.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll9.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll10.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll11.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll12.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll13.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll14.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll15.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll16.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll17.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll18.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll19.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll20.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll21.0.dr	Static PE information: section name: .00cfg
Source: SetupResources.dll22.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	File created: C:\5478d9557b6298dc63ac5974e1\Setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ndp48-web.exe	Dropped PE file which has not been started: C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	Jump to dropped file

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ndp48-web.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\5478d9557b6298dc63ac5974e1\Setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: Setup.exe, 00000001.00000002.4096365834.0000000008480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Setup.exe, 00000001.00000002.4096712651.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Link
C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1035\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1036\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1037\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1038\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1040\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1041\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1042\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1043\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1044\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1045\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1046\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1049\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1053\SetupResources.dll	0%	Virustotal	Browse
C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	0%	ReversingLabs
C:\5478d9557b6298dc63ac5974e1\1055\SetupResources.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://go.mic	0%	URL Reputation	safe
http://go.mic	0%	URL Reputation	safe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ndp48-web.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\5478d9557b6298dc63ac5974e1\1025\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1025\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1025\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1028\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1028\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1028\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1029\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1029\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1029\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1030\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1030\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1030\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1031\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1031\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1031\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1032\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1032\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1032\eula.rtf

C:\5478d9557b6298dc63ac5974e1\1033\LocalizedData.xml

C:\5478d9557b6298dc63ac5974e1\1033\SetupResources.dll

C:\5478d9557b6298dc63ac5974e1\1033\eula.rtf

Windows Analysis Report
ndp48-web.exe

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431611
Start date and time:	2024-04-25 14:25:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ndp48-web.exe
Detection:	CLEAN
Classification:	clean3.winEXE@14/132@0/0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://1drv.ms/o/s!AmFI0faGJpjZhESzK-ltQ-Z_UHmf?e=0OfhLS	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.canva.com/design/DAGDNh45X_4/PPCLYIV4Y8uUaoEW7ZJrJQ/view?utm_content=DAGDNh45X_4&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	199.232.214.172
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	199.232.210.172
	https://bind.bestresulttostart.com/scripts/statistics.js?s=7.8.2	Get hash	malicious	Unknown	Browse	199.232.214.172
	SaturdayNight.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	FTG_PD_04024024001.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.214.172
	SWIFT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.232.210.172
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	199.232.214.172
	page97.exe	Get hash	malicious	LonePage	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\ndp48-web.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (433), with CRLF line terminators
Category:	dropped
Size (bytes):	82394
Entropy (8bit):	4.113900576434787
Encrypted:	false
SSDEEP:	384:4YPMFNhaVwV/VLVWPD66KUtycONAkwtj7l/XeqyEnmM7cBp9stCctFnDRydTJleD:XlxcdGUTJleYi
MD5:	D8165BEB3B8433921D0D5611B85BFA35
SHA1:	BEF57E3511E18170EBBC9AE3AEFD73CE3F50F8F4
SHA-256:	B092668E0825F7F498ACDC1BF10E1D2CB6CA99497389142CF9AF815F25A4B712
SHA-512:	9FA221F549B4E660C4F40C7AB0E483E3D9A9204248DA51675058F32F4F56667C782667295DECBB441A581F582A099FE34C6CC569D0C4EC13E85C680ABF5870B0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.r.a.n.d.i.n.g._.M.i.c.r.o.s.o.f.t.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.r.a.n.d.i.n.g._.D.o.t.N.e.t.F.x.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...N.E.T. .F.r.a.m.e.w.o.r.k."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.r.a.n.d.i.n.g._.D.o.t.N.e.t.U.m.b.r.e.l.l.a.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.r.a.n.d.i.n.g._.M.a.j.o.r.M.i.n.o.r.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4620383296566426
Encrypted:	false
SSDEEP:	6:kKbey8QMiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:TeyVckPlE99SCQl2DUevat
MD5:	0D6149F295BC82FBBBFFF19AD17A70FE
SHA1:	C7BEBBEBCBAF7DADE8724EF23EF68FA8ABDC3C14
SHA-256:	199914F559E86057F580CB661EE694B6D9BAA7BA027BAF6C14332FF5D132D748
SHA-512:	FC6AD90E6D4D474907A64C1D777B570C00B2E8BEC0444CB0672CE78368621F0129851F39CE4315A79D8CFEA4489C4FFF47A510499A88122F38DAC3D2886A0987
Malicious:	false
Preview:	p...... ..........A.....(...................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

Process:	C:\5478d9557b6298dc63ac5974e1\Setup.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057
Category:	dropped
Size (bytes):	276
Entropy (8bit):	4.911147031403735
Encrypted:	false
SSDEEP:	6:L4VXdLz6DyoVR5QalKefqeS4CAYOBFQrZIG62:MXdLOffQalqeS4CAJ8lIz2
MD5:	3E6FC45076A192B91BE2451C152593E0
SHA1:	CE9F2D509148EC7CCF7E571C0DD0D9E416136736
SHA-256:	5785F21E3A0AA016D125747F8EFD038EAC8D65F379C398B4F557CAC992DF3D33
SHA-512:	DA8CB0D5628406279A4D09F06386917E972CE68918720A090F6C0E9D1161AB3371AFFED2D39A44ED2F365A272C1D9B8E777A41EE82576951C0007DE8DBE98353
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fnil\fcharset0 MS Shell Dlg 2;}}..\viewkind4\uc1\pard\ul\b\f0\fs23 Details\ulnone\b0\fs17\par..\par..\pard\li175 .NET Framework 4.8 or a later update is already installed on this computer.\par..\pard\par..\par..\par..}...

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.933576390037491
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ndp48-web.exe
File size:	1'439'328 bytes
MD5:	34a5c76979563918b953e66e0d39c7ef
SHA1:	4181398aa1fd5190155ac3a388434e5f7ea0b667
SHA256:	0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512:	642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
SSDEEP:	24576:xGHL3siy910NSmtLvUDSRbm4Jah1rVx8MjoGO8W6cbZtgd6AmpITsz0+lLF7cy:mL3s7K8eTUDBzrVx8MjoGO8W6cbs8NpT
TLSH:	2165222333B0C473D0A3163097A1A3B62D79B2BB4370854BBFA4572D1F667D066B9B16
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..T>.WT>.WT>.WO.DWU>.Ws..WW>.W...WU>.W;HqWz>.W;HDW@>.W;HpW=>.W...WE>.WT>.W.>.WO.uW.>.WO.AWU>.WO.@WU>.WO.GWU>.WRichT>.W.......

Entrypoint:	0x418ee7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x596BD5FC [Sun Jul 16 21:09:16 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9b2f6a441f9ff8df98ae6e9e6b5d4271

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	15/12/2020 21:31:45 02/12/2021 21:31:45
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	658DCC2A890351DF97DC9F05146283C0
Thumbprint SHA-1:	ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B
Thumbprint SHA-256:	E39CC80A0DF6F2BED821D11B49717306138C1D19FD20190336BF1C4297638A79
Serial:	33000001DF6BF02E92A74AB4D00000000001DF

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x280e0	0x9a	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d000	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x1ee4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x15d2a0	0x23c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0x1a38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1040	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5800	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2d354	0x2a0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x27ff4	0x60	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2717a	0x27200	7b3b1ee9ae8ad7764ec9d706f5340480	False	0.5425132288338658	Matlab v4 mat-file (little endian) \227\305A, numeric, rows 4352195, columns 0	6.57385410268325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x29000	0x3760	0x1400	a149d291b9bcd11002c627167764f938	False	0.2154296875	data	2.4578047267305063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2d000	0x11e8	0x1200	21f29dcea9763e518871fb03f70a5066	False	0.4370659722222222	data	5.496931567610224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.boxld01	0x2f000	0xb6	0x200	118f53165c330598d57a34ca3d476f86	False	0.248046875	data	1.655867030025736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x1ee4	0x2000	0fd002798f59e06d78e2d5855cb4e247	False	0.3275146484375	data	4.292525485894544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0x2944	0x2a00	0e90504f35d64a06ae725d5c4572a9e4	False	0.5183221726190477	data	4.988671510567249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ