Windows Analysis Report
PSR Helpful Resources.docx

Overview

General Information

Sample name: PSR Helpful Resources.docx
Analysis ID: 1673182
MD5: 5ece0a46ab0168a5e6dc858dc759feab
SHA1: a39500ec79cd8f1d01689d0e4b83a329c0052cdc
SHA256: 5c475168b031cf35492744f53d2b4c3d0102c011b9a94565738c268561ef2e76
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score: 48
Range: 0 - 100
Confidence: 100%

Signatures

Document exploit detected (process start blacklist hit)
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 142.250.68.228:443 -> 192.168.2.25:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.68.228:443 -> 192.168.2.25:49717 version: TLS 1.2
Source: Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.25.dr

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process created: C:\Windows\System32\conhost.exe
Source: unknown TCP traffic detected without corresponding DNS query: 2.19.122.49
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.8
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.25
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.115.94
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: msdt.exe, 00000019.00000002.3034040078.0000027ED840D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 142.250.68.228:443 -> 192.168.2.25:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.68.228:443 -> 192.168.2.25:49717 version: TLS 1.2
Document contains embedded VBA macros
Source: results.xsl.25.dr OLE indicator, VBA macros: true
Source: DiagPackage.diagpkg.25.dr OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: results.xsl.25.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: DiagPackage.diagpkg.25.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file does not import any functions
Source: DiagPackage.dll.mui.25.dr Static PE information: No import functions for PE file found
Source: DiagPackage.dll.25.dr Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal48.expl.evad.winDOCX@32/18@8/5
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user\Desktop\~$R Helpful Resources.docx Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\appidpolicyconverter.exe Mutant created: PolicyMutex
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{9B342545-CFF7-426E-9068-AFE44C4B4001} - OProcSessId.dat Jump to behavior
Source: PSR Helpful Resources.docx OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1856,i,16304394133441932499,11410351142429476812,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2232 /prefetch:11
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wiki/display/REG/Access+Schedules"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe -modal "66826" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF5CF1.tmp" -ep "NetworkDiagnosticsWeb"
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1856,i,16304394133441932499,11410351142429476812,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2232 /prefetch:11 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe -modal "66826" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF5CF1.tmp" -ep "NetworkDiagnosticsWeb" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cfgmgr32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sstpcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwanprfl.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll Jump to behavior
Source: Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.25.dr
Source: PSR Helpful Resources.docx Initial sample: OLE indicators vbamacros = False
Binary contains a suspicious time stamp
Source: NetworkDiagnosticSnapIn.dll.25.dr Static PE information: 0xA7E1BCB8 [Thu Apr 3 09:49:44 2059 UTC]
Drops PE files
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\DiagPackage.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\NetworkDiagnosticSnapIn.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\en-US\DiagPackage.dll.mui Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\DiagPackage.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\NetworkDiagnosticSnapIn.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe File created: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\en-US\DiagPackage.dll.mui Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msdt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msdt.exe Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\DiagPackage.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\NetworkDiagnosticSnapIn.dll Jump to dropped file
Source: C:\Windows\System32\msdt.exe Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_85aedea0-6b70-4df6-a961-0f43500a3a23\en-US\DiagPackage.dll.mui Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: netsh.exe, 0000001C.00000002.3004153757.000002D6124F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msdt.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0215~31bf3856ad364e35~amd64~~10.0.22621.4111.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1673182 Sample: PSR Helpful Resources.docx Startdate: 24/04/2025 Architecture: WINDOWS Score: 48 43 Uses netsh to modify the Windows network and firewall settings 2->43 45 Document exploit detected (process start blacklist hit) 2->45 6 chrome.exe 2 2->6         started        9 WINWORD.EXE 504 118 2->9         started        11 appidpolicyconverter.exe 1 2->11         started        13 chrome.exe 2->13         started        process3 dnsIp4 37 192.168.2.24 unknown unknown 6->37 39 192.168.2.25, 137, 138, 443 unknown unknown 6->39 41 2 other IPs or domains 6->41 15 msdt.exe 27 6->15         started        18 chrome.exe 6->18         started        21 netsh.exe 2 9->21         started        23 conhost.exe 9->23         started        25 conhost.exe 11->25         started        process5 dnsIp6 27 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 15->27 dropped 29 C:\Windows\...29etworkDiagnosticSnapIn.dll, PE32 15->29 dropped 31 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 15->31 dropped 33 www.google.com 142.250.68.228, 443, 49707, 49717 GOOGLEUS United States 18->33 35 google.com 18->35 file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.68.228
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.7
192.168.2.4
192.168.2.24
192.168.2.25

Contacted Domains

Name IP Active
google.com 142.250.72.142 true
a726.dscd.akamai.net 23.192.223.229 true
www.google.com 142.250.68.228 true
s-0005.dual-s-msedge.net 52.123.128.14 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://c.pki.goog/r/r4.crl false
    		high