Windows Analysis Report
FW_ Orderbevestiging - 85500000571-1.msg

Overview

General Information

Sample name: FW_ Orderbevestiging - 85500000571-1.msg
Analysis ID: 1545398
MD5: a9422298d9085c485ab3d4f845b623f6
SHA1: d1c2d34e89a750af95778144444a2b223c32dc0c
SHA256: 4d0f3996b52628d5b6c260c37705d02b6d6b5b0b7799460b47688566205ccac7
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

AI detected potential phishing Email
AV process strings found (often used to terminate AV products)
Creates a window with clipboard capturing capabilities
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device

Classification

Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.facebook.com (Facebook)
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.linkedin.com (Linkedin)
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.youtube.com (Youtube)
Source: ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: HYPERLINK "https://www.facebook.com/thermoclean/" equals www.facebook.com (Facebook)
Source: ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: HYPERLINK "https://www.youtube.com/@thermo-cleangroup5215" equals www.youtube.com (Youtube)
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: http://www.thermoclean.com
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: http://www.thermoclean.com/en/about-us/privacy-declaration
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr String found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr String found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr String found in binary or memory: https://login.windows.localnullD
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr String found in binary or memory: https://login.windows.localnullche
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: https://nl.linkedin.com/company/thermo-clean/
Source: FW_ Orderbevestiging - 85500000571-1.msg String found in binary or memory: https://www.you__substg1.0_8023001F
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr String found in binary or memory: https://www.youtube.com/
Creates a window with clipboard capturing capabilities
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior
One or more processes crash
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528
Source: classification engine Classification label: sus22.winMSG@5/24@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7920
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ Orderbevestiging - 85500000571-1.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: c2r64.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: wer.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: c2r64.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: c2r32.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: windows.security.authentication.onlineid.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Section loaded: twinapi.appcore.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior

Persistence and Installation Behavior
barindex
AI detected potential phishing Email
Source: Email LLM: Detected potential phishing email: The email claims to be from Dustin B.V. but is being forwarded through internal company addresses, which is unusual for order confirmations
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\DWWIN.EXE TID: 2708 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: DWWIN.EXE, 00000007.00000003.3652895010.0000000003583000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 00000007.00000002.3783272164.0000000003547000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 00000007.00000003.3782061721.0000000003584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllid" val="433" />
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545398 Sample: FW_ Orderbevestiging - 8550... Startdate: 30/10/2024 Architecture: WINDOWS Score: 22 17 AI detected potential phishing Email 2->17 6 OUTLOOK.EXE 20 92 2->6         started        process3 file4 13 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->13 dropped 15 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->15 dropped 9 DWWIN.EXE 3 12 6->9         started        11 ai.exe 6->11         started        process5
No contacted IP infos