Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name: LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID: 356267
MD5: 8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1: 61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256: 35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags: ESPgeoOutlookxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 MassLogger RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected MassLogger RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
May check the online IP address of the machine
Office process drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://pastex.pro Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\a.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\a.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\PROGRAMDATA\a.exe Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: mensajeria_system[1].exe.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\ProgramData\a.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.seyranikenger.com.tr
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.225.220.115 54.225.220.115
Source: Joe Sandbox View IP Address: 54.225.220.115 54.225.220.115
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.seyranikenger.com.tr
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org/
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org4
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.orgD
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify8
Source: a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 0000000A.00000002.810606306.0000000000D7C000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.cg
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0M
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicm
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp String found in binary or memory: http://pastex.pro
Source: a.exe, a.exe, 00000014.00000000.833793134.0000000000B22000.00000002.00020000.sdmp, mensajeria_system[1].exe.0.dr String found in binary or memory: http://pastex.pro/b/AEmdBGcmp
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngP
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp String found in binary or memory: http://smtp.saleforceconsults.com
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.office.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.onedrive.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://augloop.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.entity.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cortana.ai/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cr.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://directory.services.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/PesterP
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.local
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://management.azure.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://management.azure.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://messaging.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officeapps.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk
Source: a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com4
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://settings.outlook.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://tasks.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: a.exe, 00000001.00000002.708928788.0000000000AFB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Found Excel 4.0 Macro with suspicious formulas
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls Initial sample: High usage of CHAR() function: 23
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to dropped file
Detected potential crypto function
Source: C:\ProgramData\a.exe Code function: 1_2_00E6C154 1_2_00E6C154
Source: C:\ProgramData\a.exe Code function: 1_2_00E6E597 1_2_00E6E597
Source: C:\ProgramData\a.exe Code function: 1_2_00E6E598 1_2_00E6E598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAC154 11_2_00FAC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAE598 11_2_00FAE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAE589 11_2_00FAE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD579D 13_2_02BD579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD0740 13_2_02BD0740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16A8 13_2_02BD16A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16FC 13_2_02BD16FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16E7 13_2_02BD16E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD17B2 13_2_02BD17B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD178B 13_2_02BD178B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD0730 13_2_02BD0730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD172C 13_2_02BD172C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD170F 13_2_02BD170F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD1773 13_2_02BD1773
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD175A 13_2_02BD175A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD1741 13_2_02BD1741
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD04D8 13_2_02BD04D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD04C9 13_2_02BD04C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD3F7D 13_2_02BD3F7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054121F8 13_2_054121F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054152E8 13_2_054152E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_05411928 13_2_05411928
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541A710 13_2_0541A710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541A6FF 13_2_0541A6FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054115E0 13_2_054115E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0690BFD6 13_2_0690BFD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06907994 13_2_06907994
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E04F4F 13_2_06E04F4F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E03F58 13_2_06E03F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E01B88 13_2_06E01B88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BDD250 13_2_02BDD250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DC154 17_2_028DC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DE589 17_2_028DE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DE598 17_2_028DE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_01560740 20_2_01560740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_0156579D 20_2_0156579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_015604D8 20_2_015604D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_015604C9 20_2_015604C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_01560730 20_2_01560730
Document contains embedded VBA macros
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls OLE indicator, VBA macros: true
Yara signature match
Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Mutant created: \Sessions\1\BaseNamedObjects\Kdjaq
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{1430B6D9-1049-4B57-9D78-04A0226B6D97} - OProcSessId.dat Jump to behavior
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls OLE indicator, Workbook stream: true
Source: C:\ProgramData\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\ProgramData\a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\ProgramData\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe Jump to behavior
Source: C:\ProgramData\a.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\ProgramData\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\ProgramData\a.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
.NET source code contains potential unpacker
Source: 1.2.a.exe.410000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.a.exe.410000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.a.exe.540000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.a.exe.540000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.a.exe.270000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.a.exe.270000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.a.exe.a90000.1.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.a.exe.a90000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.a.exe.5b0000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Yara detected Beds Obfuscator
Source: Yara match File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE
Yara detected Costura Assembly Loader
Source: Yara match File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\a.exe Code function: 1_2_00E640C1 push eax; retn 0004h 1_2_00E640C2
Source: C:\ProgramData\a.exe Code function: 1_2_00E642DB pushad ; ret 1_2_00E642DE
Source: C:\ProgramData\a.exe Code function: 1_2_00E64450 push 6C04C257h; ret 1_2_00E64455
Source: C:\ProgramData\a.exe Code function: 1_2_00E6450F push edi; retn 0004h 1_2_00E64512
Source: C:\ProgramData\a.exe Code function: 1_2_00E66940 push 9E4C04C2h; ret 1_2_00E66946
Source: C:\ProgramData\a.exe Code function: 1_2_00E66910 push 9C8C04C2h; ret 1_2_00E6691E
Source: C:\ProgramData\a.exe Code function: 1_2_00E6B168 pushfd ; retn 0004h 1_2_00E6B16A
Source: C:\ProgramData\a.exe Code function: 1_2_00E69C98 pushfd ; ret 1_2_00E69CA6
Source: C:\ProgramData\a.exe Code function: 1_2_00E6FF29 push esp; ret 1_2_00E6FF2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541EA3B push 8B0541EBh; retf 13_2_0541EA47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06900998 pushad ; iretd 13_2_06901631
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0690F6D2 push eax; iretd 13_2_0690F6D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E07F5B push esp; retf 13_2_06E07F5C

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Windows\SysWOW64\wscript.exe PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\wscript.exe PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe