Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sample1.bin

Overview

General Information

Sample Name:sample1.bin (renamed file extension from bin to doc)
Analysis ID:339441
MD5:7dbd8ecfada1d39a81a58c9468b91039
SHA1:0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Changes security center settings (notifications, updates, antivirus, firewall)
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 1536 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6192 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6720 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6776 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6792 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6880 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6944 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6976 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • certutil.exe (PID: 6392 cmdline: Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf MD5: EB199893441CED4BBBCB547FE411CF2D)
    • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: sample1.docAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfAvira: detection malicious, Label: TR/Casdet.xqfgu
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfMetadefender: Detection: 40%Perma Link
Source: C:\Users\Public\Ksh1.pdfReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted fileShow sources
Source: sample1.docVirustotal: Detection: 61%Perma Link
Source: sample1.docMetadefender: Detection: 45%Perma Link
Source: sample1.docReversingLabs: Detection: 72%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: sample1.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: winword.exeMemory has grown: Private usage: 0MB later: 129MB
Source: global trafficDNS query: name: pornthash.mobi

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49744 -> 177.130.51.198:80
Source: unknownDNS traffic detected: queries for: pornthash.mobi
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: svchost.exe, 0000000D.00000002.309801474.0000022F01413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.aadrm.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.cortana.ai
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.office.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.onedrive.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://augloop.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://augloop.office.com/v2
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.entity.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cortana.ai
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cortana.ai/api
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cr.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.312540794.0000022F0144E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000002.312354867.0000022F01442000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000002.312354867.0000022F01442000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://devnull.onenote.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://directory.services.
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308667722.0000022F01464000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://graph.windows.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://graph.windows.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://lifecycle.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://login.windows.local
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://management.azure.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://management.azure.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://messaging.office.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://officeapps.live.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://onedrive.live.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://outlook.office.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://outlook.office365.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: certutil.exe, 00000010.00000002.324974608.0000019BE9B00000.00000004.00000001.sdmp, Ksh1.pdf.16.drString found in binary or memory: https://pornthash.mobi/videos/tayna_tung
Source: certutil.exe, 00000010.00000002.324974608.0000019BE9B00000.00000004.00000001.sdmp, Ksh1.pdf.16.drString found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://powerlift.acompli.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://settings.outlook.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://staging.cortana.ai
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.309801474.0000022F01413000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.309006862.0000022F01445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000002.312540794.0000022F0144E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://tasks.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://webshell.suite.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" from the yellow bar above. 2 Once you have enabled editing, please click "Enable
Source: Screenshot number: 4Screenshot OCR: Enable content" on the yellow bar above. ! Page1 of 2 617 words uu O Type here to search % m % -
Source: Document image extraction number: 0Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
Source: Document image extraction number: 0Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open
Source: Screenshot number: 12Screenshot OCR: Enable editing from the yellow bar above. , , Once you have enabled editing, please click , !
Source: Screenshot number: 12Screenshot OCR: Enable content" on the yellow bar above. , , , , , , , , , , i *this document is complete
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: sample1.docOLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: sample1.docOLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: sample1.docOLE, VBA macro line: Private Sub Document_Close()
Source: sample1.docOLE, VBA macro line: Form_Close
Source: sample1.docOLE, VBA macro line: Private Sub Form_Close()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Close
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Form_Close
Source: sample1.docOLE indicator, VBA macros: true
Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
Source: classification engineClassification label: mal100.expl.evad.winDOC@13/28@3/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{EFC7C51F-9C8A-4815-B217-7915A013B15B} - OProcSessId.datJump to behavior
Source: sample1.docOLE indicator, Word Document stream: true
Source: sample1.docOLE document summary: title field not present or empty
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: sample1.docVirustotal: Detection: 61%
Source: sample1.docMetadefender: Detection: 45%
Source: sample1.docReversingLabs: Detection: 72%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
Source: unknownProcess created: cmd line: ksh1.pdf
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: sample1.docStream path 'Data' entropy: 7.97862280177 (max. 8.0)
Source: C:\Windows\System32\certutil.exeDropped PE file which has not been started: C:\Users\Public\Ksh1.pdfJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 6280Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: svchost.exe, 00000002.00000002.266875948.00000208AA260000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.292546467.0000012295740000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000002.00000002.266875948.00000208AA260000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.292546467.0000012295740000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.266875948.00000208AA260000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.292546467.0000012295740000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.266875948.00000208AA260000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.292546467.0000012295740000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)Show sources
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111DLL Side-Loading1Process Injection1Masquerading131OS Credential DumpingSecurity Software Discovery121Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting12Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution11Logon Script (Windows)Extra Window Memory Injection1Virtualization/Sandbox Evasion2Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting12LSA SecretsSystem Information Discovery23SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample1.doc62%VirustotalBrowse
sample1.doc46%MetadefenderBrowse
sample1.doc72%ReversingLabsDocument-Word.Trojan.Valyria
sample1.doc100%AviraHEUR/Macro.Downloader.MRYT.Gen
sample1.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Ksh1.pdf100%AviraTR/Casdet.xqfgu
C:\Users\Public\Ksh1.pdf100%Joe Sandbox ML
C:\Users\Public\Ksh1.pdf41%MetadefenderBrowse
C:\Users\Public\Ksh1.pdf64%ReversingLabsWin32.Trojan.Malrep

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
mov.pornthash.mobi0%VirustotalBrowse
pornthash.mobi0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://dynamic.t0%URL Reputationsafe
https://dynamic.t0%URL Reputationsafe
https://dynamic.t0%URL Reputationsafe
https://dynamic.t0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ip166475689.ahcdn.com
188.209.213.202
truefalse
    		high
    mov.pornthash.mobi
    		104.21.4.61
    		truefalseunknown
    pornthash.mobi
    		104.21.4.61
    		truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
      		high
      https://login.microsoftonline.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
        		high
        https://shell.suite.office.com:1443C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
          		high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
            		high
            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpfalse
              		high
              https://autodiscover-s.outlook.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                		high
                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                  		high
                  https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000D.00000002.312540794.0000022F0144E000.00000004.00000001.sdmpfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                      		high
                      https://cdn.entity.C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/appinfo/queryC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                        		high
                        https://wus2-000.contentsync.C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://clients.config.office.net/user/v1.0/tenantassociationkeyC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                              		high
                              https://powerlift.acompli.netC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://rpsticket.partnerservices.getmicrosoftkey.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v1C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                		high
                                https://cortana.aiC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                  		high
                                  https://cloudfiles.onenote.com/upload.aspxC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                      		high
                                      https://entitlement.diagnosticssdf.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                        		high
                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                          		high
                                          https://api.aadrm.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                                            		high
                                            https://ofcrecsvcapi-int.azurewebsites.net/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000D.00000002.312354867.0000022F01442000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                		high
                                                https://api.microsoftstream.com/api/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                  		high
                                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                    		high
                                                    https://cr.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                      		high
                                                      https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://portal.office.com/account/?ref=ClientMeControlC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                          		high
                                                          http://www.bingmapsportal.comsvchost.exe, 0000000D.00000002.309801474.0000022F01413000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://ecs.office.com/config/v2/OfficeC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                              		high
                                                              https://graph.ppe.windows.netC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                		high
                                                                https://res.getmicrosoftkey.com/api/redemptioneventsC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://powerlift-frontdesk.acompli.netC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://tasks.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                  		high
                                                                  https://officeci.azurewebsites.net/api/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                  • 0%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                    		high
                                                                    https://store.office.cn/addinstemplateC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000003.309006862.0000022F01445000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://wus2-000.pagecontentsync.C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://globaldisco.crm.dynamics.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                            		high
                                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                              		high
                                                                              https://store.officeppe.com/addinstemplateC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://dev0-api.acompli.net/autodetectC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.odwebp.svc.msC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://api.powerbi.com/v1.0/myorg/groupsC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                		high
                                                                                https://web.microsoftstream.com/video/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.309801474.0000022F01413000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://graph.windows.netC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                        		high
                                                                                        https://dataservice.o365filtering.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://officesetup.getmicrosoftkey.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://analysis.windows.net/powerbi/apiC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                            		high
                                                                                            https://prod-global-autodetect.acompli.net/autodetectC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://outlook.office365.com/autodiscover/autodiscover.jsonC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                		high
                                                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                  		high
                                                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                    		high
                                                                                                    https://dynamic.tsvchost.exe, 0000000D.00000003.308667722.0000022F01464000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                      		high
                                                                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                          		high
                                                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                            		high
                                                                                                            http://weather.service.msn.com/data.aspxC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                              		high
                                                                                                              https://apis.live.net/v5.0/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                  		high
                                                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                    		high
                                                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                      		high
                                                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://management.azure.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                            		high
                                                                                                                            https://incidents.diagnostics.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                              		high
                                                                                                                              https://clients.config.office.net/user/v1.0/iosC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                		high
                                                                                                                                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000D.00000002.312307229.0000022F0143D000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://insertmedia.bing.office.net/odc/insertmediaC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://o365auditrealtimeingestion.manage.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://outlook.office365.com/api/v1.0/me/ActivitiesC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.office.netC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://incidents.diagnosticssdf.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/android/policiesC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://entitlement.diagnostics.office.comC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000D.00000002.312354867.0000022F01442000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://outlook.office.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://storage.live.com/clientlogs/uploadlocationC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000D.00000003.286866511.0000022F01431000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://templatelogging.office.com/client/logC8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://outlook.office365.com/C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drfalse
                                                                                                                                                                  		high

                                                                                                                                                                  Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                                  Private

                                                                                                                                                                  IP
                                                                                                                                                                  192.168.2.1
                                                                                                                                                                  127.0.0.1

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                                  Analysis ID:339441
                                                                                                                                                                  Start date:14.01.2021
                                                                                                                                                                  Start time:03:30:32
                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 4m 57s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:light
                                                                                                                                                                  Sample file name:sample1.bin (renamed file extension from bin to doc)
                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                  Number of analysed new started processes analysed:20
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • HDC enabled
                                                                                                                                                                  • GSI enabled (VBA)
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.expl.evad.winDOC@13/28@3/2
                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Adjust boot time
                                                                                                                                                                  • Enable AMSI
                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                  • Scroll down
                                                                                                                                                                  • Close Viewer
                                                                                                                                                                  Warnings:
                                                                                                                                                                  Show All
                                                                                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.88.32.150, 168.61.161.212, 52.109.88.177, 52.109.76.36, 51.104.139.180, 2.20.84.85, 92.122.213.247, 92.122.213.194, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.11.168.160
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  03:31:46API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  No context

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASN

                                                                                                                                                                  No context

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  No context

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4096
                                                                                                                                                                  Entropy (8bit):0.5952333925020915
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:0FsWv0k1GaD0JOCEfMuaaD0JOCEfMKQmDFWv2Al/gz2cE0fMbhEZolrRSQ2hyYI8:0+o7GaD0JcaaD0JwQQFo2Ag/0bjSQJ
                                                                                                                                                                  MD5:E3708C8D87BB674A73482801402474E3
                                                                                                                                                                  SHA1:1A8D2302B3B042C763528D0CBB69D8B32E5768E7
                                                                                                                                                                  SHA-256:78C9AA6D0570C9B49AE1CFC3B608B30FFC8809896D74C59F45016618EE04402A
                                                                                                                                                                  SHA-512:1C658EDABBE854C41C322A5609FAD1213E8F6A8EC13344DD19443D1CA8731F11D063747676D8112A6FA8826B83D7DC0DFE1B7774E4C9299A280E4D3CD17FE483
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: ......:{..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xae16a304, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                  Entropy (8bit):0.09580686296721547
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:Wzc0+VaO4bl93N+sKozc0+VaO4bl93N+sK:6TjTTj
                                                                                                                                                                  MD5:F53ACAEFC5B0D6FA3CAD9BF844F56527
                                                                                                                                                                  SHA1:235FDA870F3985D2B06591F1A801429DFC8B7D95
                                                                                                                                                                  SHA-256:36D0D2B2DE84A519775E95168C7917292840B9E2F85E159479E627E49DDAAD93
                                                                                                                                                                  SHA-512:8DD00AEBF88957E4E3C334C54890270AB8A1449F55C3E1A6D10B78146D17937186E0F9CC1D58C5BA726EC1C5C3B89A6EE5F6CA62072E80ACAAEA0321DF92DA57
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: ....... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.........................................................................................................................................................................................................................................1.....ywk................B.e......y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):8192
                                                                                                                                                                  Entropy (8bit):0.11193516914275213
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:+9EvLRV8vAxXl/bJdAtiQu8v/tall:+Yr8vAJt4A8vQ
                                                                                                                                                                  MD5:D0E53B0EC516725F17F6813C5587E2CF
                                                                                                                                                                  SHA1:E68A9E8F8825657423F377CCAFE9B9D5A4A2BDB4
                                                                                                                                                                  SHA-256:00B2DBA055649AAB282B7266498110A79F6DDA6450384FD2DBC87E11A608233A
                                                                                                                                                                  SHA-512:8D76613AF2D0CC3555DE2CFFFECB4C73CCB38F021D43FA2526BE8F01BA2465F472DA5BAE6738BCBA179F910A0C1475B6415B9448B8AD9C959E0D5A978DE5C09B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: d\.U.....................................3...w.......y.......w...............w.......w....:O.....w..................B.e......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\Public\Ksh1.pdf
                                                                                                                                                                  Process:C:\Windows\System32\certutil.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):446976
                                                                                                                                                                  Entropy (8bit):7.675102075961339
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:NWSikkQXsGOCAStP1W+TXPc9JXvaWv7j3:ESiL5Sp1W+TYfHj
                                                                                                                                                                  MD5:706EA7F029E6BC4DBF845DB3366F9A0E
                                                                                                                                                                  SHA1:942443DFB8784066523DB761886115E08C99575F
                                                                                                                                                                  SHA-256:FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
                                                                                                                                                                  SHA-512:036D5DE7E732302EF81989FBA62ABB1375119FC8141748D6548ED2310E95BDC07468ADA5CBF06C4F721B2B95CAF51E3267D4EF6DB2A2031CF5C8B2ABEE1C15A3
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                  • Antivirus: Metadefender, Detection: 41%, Browse
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 64%
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)N(.m/F.m/F.m/F....g/F...../F....u/F.?GC.M/F.?GB.b/F.?GE.~/F.dW..h/F.m/G../F..FO.l/F..FF.l/F..F..l/F.m/..l/F..FD.l/F.Richm/F.........PE..L...+._...........!................d}.......0............................................@.............................H...X...<.......PB..........................0|..8...........................h|..@............0..8............................text...g........................... ..`.rdata..d\...0...^..................@..@.data................v..............@....rsrc...PB.......D...~..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\Public\~$Ksh1.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.468762537539322
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/ZdazGlmPREl9lnlt1olF4ditr:RtZu+lHlYBR
                                                                                                                                                                  MD5:61CCB0AE1C8D3B3D7D8D942BBA014043
                                                                                                                                                                  SHA1:2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
                                                                                                                                                                  SHA-256:D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
                                                                                                                                                                  SHA-512:E2B419E3A461D7A0196A9D34F4369CD8C94C31905D2886A3B9DABAC56527477A0746E9725F1177725B0C408044A1E989DDEB66BD32C859DD32A4D100F8478ABB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........[...9..x..t`..tP..t.............[...:...........................[...;..........T...
                                                                                                                                                                  C:\Users\Public\~$Ksh1.xls
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.468762537539322
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/ZdazGlmPREl9lnlt1olF4ditr:RtZu+lHlYBR
                                                                                                                                                                  MD5:61CCB0AE1C8D3B3D7D8D942BBA014043
                                                                                                                                                                  SHA1:2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
                                                                                                                                                                  SHA-256:D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
                                                                                                                                                                  SHA-512:E2B419E3A461D7A0196A9D34F4369CD8C94C31905D2886A3B9DABAC56527477A0746E9725F1177725B0C408044A1E989DDEB66BD32C859DD32A4D100F8478ABB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........[...9..x..t`..tP..t.............[...:...........................[...;..........T...
                                                                                                                                                                  C:\Users\Public\~WRD0000.tmp
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):595972
                                                                                                                                                                  Entropy (8bit):5.85065356609278
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9
                                                                                                                                                                  MD5:D631AB4CEFF199B52FF4E4B7AAD0199D
                                                                                                                                                                  SHA1:F30002C31BF32184507182100942A2012F0B8703
                                                                                                                                                                  SHA-256:9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
                                                                                                                                                                  SHA-512:56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\Public\~WRD0004.tmp
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):595972
                                                                                                                                                                  Entropy (8bit):5.85065356609278
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9
                                                                                                                                                                  MD5:D631AB4CEFF199B52FF4E4B7AAD0199D
                                                                                                                                                                  SHA1:F30002C31BF32184507182100942A2012F0B8703
                                                                                                                                                                  SHA-256:9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
                                                                                                                                                                  SHA-512:56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C8E730CE-6109-4C50-987F-9ABD6FDBDF02
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):132942
                                                                                                                                                                  Entropy (8bit):5.372882575469903
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:vcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:DrQ9DQW+zBX8P
                                                                                                                                                                  MD5:661BE377FBBB4BE41867FF9F66664830
                                                                                                                                                                  SHA1:1F08FBA111DB2373EEA90D0BE534FF96998DF109
                                                                                                                                                                  SHA-256:82E370595448D5EFFECDC840506EA2B0621479083972B182F6DBB0CA918CB3AB
                                                                                                                                                                  SHA-512:F8AD3E61AD98F85325C0A7FD308C1F76DF88A71E84F3C63D3A747371E97C99670DB068B60FAE5110B4B63521B0425AF14D6B4D39EC8801EE825B310D772B898F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-14T02:31:22">.. Build: 16.0.13712.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0001.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):598272
                                                                                                                                                                  Entropy (8bit):5.856822353998229
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC
                                                                                                                                                                  MD5:7E9AB23E4F7C98AF0A03B64E3C14D7F6
                                                                                                                                                                  SHA1:BAD0DC91FB2929FDBF66E569257BABA97E1EC233
                                                                                                                                                                  SHA-256:532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
                                                                                                                                                                  SHA-512:014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0002.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1191944
                                                                                                                                                                  Entropy (8bit):3.9253267830463896
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI
                                                                                                                                                                  MD5:DA122309698B26E96848A6A829EEF5C1
                                                                                                                                                                  SHA1:DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
                                                                                                                                                                  SHA-256:26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
                                                                                                                                                                  SHA-512:4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: T.V.q.Q.A.A.M.A.A.A.A.E.A.A.A.A././.8.A.A.L.g.A.A.A.A.A.A.A.A.A.Q.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.C.A.E.A.A.A.4.f.u.g.4.A.t.A.n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J.A.A.A.A.A.A.A.A.A.A.p.T.i.i.j.b.S.9.G.8.G.0.v.R.v.B.t.L.0.b.w.2.b.O.3.8.G.c.v.R.v.D.Z.s.7.X.w.G.i.9.G.8.N.m.z.t.P.B.1.L.0.b.w.P.0.d.D.8.U.0.v.R.v.A./.R.0.L.x.Y.i.9.G.8.D.9.H.R.f.F.+.L.0.b.w.Z.F.f.V.8.G.g.v.R.v.B.t.L.0.f.w.C.S.9.G.8.P.d.G.T./.F.s.L.0.b.w.9.0.Z.G.8.W.w.v.R.v.D.3.R.r.n.w.b.C.9.G.8.G.0.v.0.f.B.s.L.0.b.w.9.0.Z.E.8.W.w.v.R.v.B.S.a.W.N.o.b.S.9.G.8.A.A.A.A.A.A.A.A.A.A.A.U.E.U.A.A.E.w.B.B.Q.A.r.7.Z.h.f.A.A.A.A.A.A.A.A.A.A.D.g.A.A.I.h.C.w.E.O.E.A.A.U.A.Q.A.A.x.A.U.A.A.A.A.A.A.G.R.9.A.A.A.A.E.A.A.A.A.D.A.B.A.A.A.A.A.B.A.A.E.A.A.A.A.A.I.A.A.A.U.A.A.Q.A.A.A.A.A.A.B.Q.A.B.A.A.A.A.A.A.A.A.E.A.c.A.A.A.Q.A.A.A.A.A.A.A.A.D.A.E.A.B.A.A.A.Q.A.A.A.Q.A.A.A.A.A.B.A.A.A.B.A.A.
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0003.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):600580
                                                                                                                                                                  Entropy (8bit):5.850565167047853
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35
                                                                                                                                                                  MD5:1D35754EDB0B7AA76891735215FC048A
                                                                                                                                                                  SHA1:E0B1C34B3C39C1F097B7A3749174D098DC51E265
                                                                                                                                                                  SHA-256:C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
                                                                                                                                                                  SHA-512:6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0005.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):598272
                                                                                                                                                                  Entropy (8bit):5.856822353998229
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC
                                                                                                                                                                  MD5:7E9AB23E4F7C98AF0A03B64E3C14D7F6
                                                                                                                                                                  SHA1:BAD0DC91FB2929FDBF66E569257BABA97E1EC233
                                                                                                                                                                  SHA-256:532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
                                                                                                                                                                  SHA-512:014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0364.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1191944
                                                                                                                                                                  Entropy (8bit):3.9253267830463896
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI
                                                                                                                                                                  MD5:DA122309698B26E96848A6A829EEF5C1
                                                                                                                                                                  SHA1:DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
                                                                                                                                                                  SHA-256:26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
                                                                                                                                                                  SHA-512:4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: T.V.q.Q.A.A.M.A.A.A.A.E.A.A.A.A././.8.A.A.L.g.A.A.A.A.A.A.A.A.A.Q.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.C.A.E.A.A.A.4.f.u.g.4.A.t.A.n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J.A.A.A.A.A.A.A.A.A.A.p.T.i.i.j.b.S.9.G.8.G.0.v.R.v.B.t.L.0.b.w.2.b.O.3.8.G.c.v.R.v.D.Z.s.7.X.w.G.i.9.G.8.N.m.z.t.P.B.1.L.0.b.w.P.0.d.D.8.U.0.v.R.v.A./.R.0.L.x.Y.i.9.G.8.D.9.H.R.f.F.+.L.0.b.w.Z.F.f.V.8.G.g.v.R.v.B.t.L.0.f.w.C.S.9.G.8.P.d.G.T./.F.s.L.0.b.w.9.0.Z.G.8.W.w.v.R.v.D.3.R.r.n.w.b.C.9.G.8.G.0.v.0.f.B.s.L.0.b.w.9.0.Z.E.8.W.w.v.R.v.B.S.a.W.N.o.b.S.9.G.8.A.A.A.A.A.A.A.A.A.A.A.U.E.U.A.A.E.w.B.B.Q.A.r.7.Z.h.f.A.A.A.A.A.A.A.A.A.A.D.g.A.A.I.h.C.w.E.O.E.A.A.U.A.Q.A.A.x.A.U.A.A.A.A.A.A.G.R.9.A.A.A.A.E.A.A.A.A.D.A.B.A.A.A.A.A.B.A.A.E.A.A.A.A.A.I.A.A.A.U.A.A.Q.A.A.A.A.A.A.B.Q.A.B.A.A.A.A.A.A.A.A.E.A.c.A.A.A.Q.A.A.A.A.A.A.A.A.D.A.E.A.B.A.A.A.Q.A.A.A.Q.A.A.A.A.A.B.A.A.A.B.A.A.
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0497.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):600580
                                                                                                                                                                  Entropy (8bit):5.850565167047853
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35
                                                                                                                                                                  MD5:1D35754EDB0B7AA76891735215FC048A
                                                                                                                                                                  SHA1:E0B1C34B3C39C1F097B7A3749174D098DC51E265
                                                                                                                                                                  SHA-256:C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
                                                                                                                                                                  SHA-512:6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{78283799-0F83-48EF-8031-734426429AE8}.tmp
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1536
                                                                                                                                                                  Entropy (8bit):1.3695391241186443
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:IiiiiiiiiiVeldI43lnl/bl//l/fl/9vvvvvvvvvvFl/l/lAqsDNjPl3lldHzlb2:Iiiiiiiiii8l+4cc8++lwG3ql
                                                                                                                                                                  MD5:0F250E413D15A1C2DB1B79541FF9D33F
                                                                                                                                                                  SHA1:40F86097D1D76126B0DD3DBAF35FADFFA5E622C9
                                                                                                                                                                  SHA-256:805EFC1FB704122039602B882A459C75D26E1788E38232921050C46624974EBD
                                                                                                                                                                  SHA-512:C4A1CCCB22649A6A5ECEDCD7951DE96DBF1FF98AFEF0D1D0759F9611DDD5EE2F969F0AC3F61ACAED2FD01D686517183BFB73E275F1CCC23BA616A3F7541FBACC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ..(...(...(...(...(...(...(...(...(...(...(...p.r.a.t.e.s.h...p....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......>...B...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CCDBE93F-C124-4002-A8A4-82387CB4CA40}.tmp
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1024
                                                                                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                  Entropy (8bit):0.11001645378947392
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:26IaVXm/Ey6q9995+i/Nldq3qQ10nMCldimE8eawHjcCcd:26Ia4l681NyLyMCldzE9BHjcxd
                                                                                                                                                                  MD5:E2A926928C5A07B9CE5C3AF850EAB104
                                                                                                                                                                  SHA1:346277EA0EC329E2DAC52F50C8E58F4F0BF6762D
                                                                                                                                                                  SHA-256:9E6FF5B1CB14ACB68D56BAB25B568A506FE3DAE13B9601306687C8FEC31FB50F
                                                                                                                                                                  SHA-512:CA28AA18A30689DC43180C216B994F8843E1A78327A2613B55C1B95FCA6FD5008E15AC8C04A41C4942DFBCB8F44E86DB1972F6E3026D2D373E7FDE9601B0C80B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ....................................................................................x............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}I.g0..... .....E...h...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....x...Q.......................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                  Entropy (8bit):0.1125937326451811
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:NCjXm/Ey6q9995+iUl71miM3qQ10nMCldimE8eawHza1miIbMP:Nnl68Cp1tMLyMCldzE9BHza1tII
                                                                                                                                                                  MD5:B2C26F4E7D63823BACCFBED8A4F234C0
                                                                                                                                                                  SHA1:CF64A7A23F44D0FA20673456F7C8AAB96ED6F045
                                                                                                                                                                  SHA-256:27E0AF7C33CA7069BDDF351C871A38E5AA37C232C9879E44ED0EF825BD03DB0D
                                                                                                                                                                  SHA-512:F111F19D85AA53C4F090E07A6CB2F3325A37228A1995BE68E80974E2E5DE081ED16A6AEBD2E076ACB1DC5789CA5614F98D627C275DDC8EC1B9493506925FE9EF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ....................................................................................x...j........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}I.g0..... .........h...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....x...Z.......................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                  Entropy (8bit):0.11240451627438612
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:7jXm/Ey6q9995+iNl71mK2P3qQ10nMCldimE8eawHza1mKk7tsP:Wl68zp1iPLyMCldzE9BHza1AJc
                                                                                                                                                                  MD5:C0B0B8426F83EF2F8A60DBF14BE87297
                                                                                                                                                                  SHA1:71C06754571BC5D8086EC6A1510E07613FC3CC21
                                                                                                                                                                  SHA-256:038D6DC1A0C8E20DC41857093EEBFDFD635CFB4B4272520CAE67817110475267
                                                                                                                                                                  SHA-512:AF49F2DAA2511724E57C2702580E84E3CF25C9BEF3E8425A4358DA3B6F57068587A43D6CDCBC7933F9FBBED361D446B8FE7E3D387C74B15AE7F480F64E794A6A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ....................................................................................x...rC.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}I.g0..... .........h...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....x....J......................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.doc.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 10:32:15 2021, mtime=Thu Jan 14 10:32:15 2021, atime=Thu Jan 14 10:32:15 2021, length=595972, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1872
                                                                                                                                                                  Entropy (8bit):4.595377904117475
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:88YOlHDIBAXL+vNx7aB6my8YOlHDIBAXL+vNx7aB6m:8HOljISXLO8B6pHOljISXLO8B6
                                                                                                                                                                  MD5:9D3C1C4DB5B591B8D47852847E19FF04
                                                                                                                                                                  SHA1:5DA05072C70C918D4C5F8463E64A5E60993F0277
                                                                                                                                                                  SHA-256:1BAA0597E24756A8FBBF5563AFF17F2BB0D328158ED40221D4D50CEC9271D335
                                                                                                                                                                  SHA-512:20BF966A5547013B5AE089C5FBF0BC968B9FF0610D372E63392A3A4C44BC3E9EE795071F12A338E3DBD1DD176BBA703DD1CA581646FB8F35A40AED5CE0DE895B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: L..................F.... .....i.h...tZ..h...tZ..h...........................}....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.[....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......R.\..Public..f......L..R.\....................<.........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....Z.2......R.\ .Ksh1.doc..B.......R.\.R.\.....h........................K.s.h.1...d.o.c.......G...............-.......F...........>.S......C:\Users\Public\Ksh1.doc..!.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.K.s.h.1...d.o.c..........v..*.cM.jVD.Es.!...`.......X.......377142...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F.... .....i.h...tZ..h...tZ..h...............
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.xls.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 10:32:13 2021, mtime=Thu Jan 14 10:32:14 2021, atime=Thu Jan 14 10:32:14 2021, length=595972, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1872
                                                                                                                                                                  Entropy (8bit):4.6054989632820185
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:8f2VYOlzIKtSUAXzkF3vTz7aB6myf2VYOlzIKtSUAXzkF3vTz7aB6m:8uqOl1tSjXeLqB6puqOl1tSjXeLqB6
                                                                                                                                                                  MD5:623DBB8DBBCA4AAA84C9D0B51D2294AA
                                                                                                                                                                  SHA1:ED9CF95C49771F3F4BA706367FDF131F3536EDF8
                                                                                                                                                                  SHA-256:869594510F0C7C4AA0B36EC430A5565D02D1228D6FC8357079F83AAA87E79727
                                                                                                                                                                  SHA-512:CF1E69A0AC8207A82DF21752018105620BCDD641DE3CADED9FC0F18F2659DA0F2FB4F23F4992103FA3A29D962CD47F53981BAE59BB510D7D8AE28C65C6F1AAA6
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: L..................F.... ...f...h....V.h....V.h...........................}....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.[....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......R.\..Public..f......L..R.\....................<.....&W..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....Z.2......R.\ .Ksh1.xls..B.......R.\.R.\.....R....................&W..K.s.h.1...x.l.s.......G...............-.......F...........>.S......C:\Users\Public\Ksh1.xls..!.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.K.s.h.1...x.l.s..........v..*.cM.jVD.Es.!...`.......X.......377142...........!a..%.H.VZAj...~..-.........-..!a..%.H.VZAj...~..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F.... ...f...h....V.h....V.h...............
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Thu Jan 14 10:32:13 2021, atime=Thu Jan 14 10:32:13 2021, length=4096, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1638
                                                                                                                                                                  Entropy (8bit):4.631801277891009
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:8nEJOMW8As7Rvmi7aB6mySOMW8As7Rvmi7aB6m:8nEJOMCsEzB6pSOMCsEzB6
                                                                                                                                                                  MD5:D20EC39F272E325460490D56EB95738F
                                                                                                                                                                  SHA1:5B40AEB7E5FBB6C34A62808981C94D7B95E92A68
                                                                                                                                                                  SHA-256:B91AEE090146F1DAED24BB4148EF9B471834012BBB1E89223522F82A5CC3E33E
                                                                                                                                                                  SHA-512:C7666B9A7BC9205DD57B875DEA7B2DA81DCDCFF1A1CB2E332E16AE61F32ADE62314C1C2EA7B6EA559941D3B86E4F2A415865417E384C8EF0F73DA8ECE7C25936
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: L..................F...........,....f...h...f...h...........................#....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.[....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Nlv..Public..f......L..R.[....................<......o2.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.......>...............-.......=...........>.S......C:\Users\Public........\.....\.....\.....\.....\.....\.P.u.b.l.i.c..........v..*.cM.jVD.Es.!...`.......X.......377142...........!a..%.H.VZAj...{..-.........-..!a..%.H.VZAj...{..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F...........,....ztb.h....V.h...........................#....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.[....................:.
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):447
                                                                                                                                                                  Entropy (8bit):4.3899967917411375
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:MWXVqsogWEBIogWEBIogWCogWE+ogWE+qG+ogWC:FXVqs8EBI8EBI8C8E+8E+qG+8C
                                                                                                                                                                  MD5:FD72007F8A3EB8088D84D55642E4BD50
                                                                                                                                                                  SHA1:E4EA33BEAB25EFE67858F1935F8D5F0BACA65E4B
                                                                                                                                                                  SHA-256:51DF55852A44D725F534237277FCF0FC82A78A17E0ABB73ADDBB4F870B075948
                                                                                                                                                                  SHA-512:ACEDFBD511ABA21CE1C36E0A404884E0FD250DE10E52B5D0D593ABA14E6C27444EEED66E8D74385134BD8012D32F9982B9EA757346541A94EE3B167D380B7AF4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: [doc]..sample1.doc.LNK=0..sample1.doc.LNK=0..[doc]..sample1.doc.LNK=0..Public.LNK=0..[doc]..sample1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..Ksh1.xls.LNK=0..[doc]..sample1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..Ksh1.xls.LNK=0..[doc]..sample1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..Public.LNK=0..[doc]..sample1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..Ksh1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..Ksh1.doc.LNK=0..[doc]..sample1.doc.LNK=0..Ksh1.doc.LNK=0..[xls]..Ksh1.xls.LNK=0..
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.doc.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 10:31:16 2021, mtime=Thu Jan 14 10:31:22 2021, atime=Thu Jan 14 10:31:19 2021, length=856064, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2076
                                                                                                                                                                  Entropy (8bit):4.666899485134856
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:84PGKCWv88lQAVKHJlfDLx7aB6my4PGKCWv88lQAVKHJlfDLx7aB6m:84PLlnVKHJlH8B6p4PLlnVKHJlH8B6
                                                                                                                                                                  MD5:BD2560F66385CC85CDA44422341BE635
                                                                                                                                                                  SHA1:F4066416295028DA67836117A585CEBF2161F96C
                                                                                                                                                                  SHA-256:4DB40943AADE005210F9B32BB7C34F9C2986801F3FFAE0A0CC71A70E13D8B3D1
                                                                                                                                                                  SHA-512:C772B4A63539F1D005C5427C20D9955468E50DA38DFF66E4241EEEC9852AACBBC54C0F37676FFBD6FE9276B3F5DBE89C6470500B29C6768FA71FDCEC8A6BAF4E
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Preview: L..................F.... ... ..h....*.h...g8..h................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.[....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qvx..user.<.......Ny..R.[.....S.....................,Q.h.a.r.d.z.....~.1......R.[..Desktop.h.......Ny..R.[.....Y..............>........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2......R.[ .sample1.doc.H.......R.[.R.[.....]........................s.a.m.p.l.e.1...d.o.c.......Q...............-.......P...........>.S......C:\Users\user\Desktop\sample1.doc..".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e.1...d.o.c.........:..,.LB.)...As...`.......X.......377142...........!a..%.H.VZAj..._..-.........-..!a..%.H.VZAj..._..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x....
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.468762537539322
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/ZdazGlmPREl9lnlt1olF4ditr:RtZu+lHlYBR
                                                                                                                                                                  MD5:61CCB0AE1C8D3B3D7D8D942BBA014043
                                                                                                                                                                  SHA1:2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
                                                                                                                                                                  SHA-256:D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
                                                                                                                                                                  SHA-512:E2B419E3A461D7A0196A9D34F4369CD8C94C31905D2886A3B9DABAC56527477A0746E9725F1177725B0C408044A1E989DDEB66BD32C859DD32A4D100F8478ABB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........[...9..x..t`..tP..t.............[...:...........................[...;..........T...
                                                                                                                                                                  C:\Users\user\Desktop\~$ample1.doc
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.468762537539322
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/ZdazGlmPREl9lnlt1olF4ditr:RtZu+lHlYBR
                                                                                                                                                                  MD5:61CCB0AE1C8D3B3D7D8D942BBA014043
                                                                                                                                                                  SHA1:2BC241C791ACAA6CCC41E6F9D0BD1C03E49633F6
                                                                                                                                                                  SHA-256:D45E84624442FE9ED3005AE828C8E49FEA3C8D4677AC12F5D58B63FD198D39DB
                                                                                                                                                                  SHA-512:E2B419E3A461D7A0196A9D34F4369CD8C94C31905D2886A3B9DABAC56527477A0746E9725F1177725B0C408044A1E989DDEB66BD32C859DD32A4D100F8478ABB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........[...9..x..t`..tP..t.............[...:...........................[...;..........T...
                                                                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: User, Template: Normal.dotm, Last Saved By: kirin, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 20:00, Create Time/Date: Sun May 10 01:31:00 2020, Last Saved Time/Date: Wed Oct 28 04:44:00 2020, Number of Pages: 2, Number of Words: 89482, Number of Characters: 510049, Security: 0
                                                                                                                                                                  Entropy (8bit):6.919205506848504
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Microsoft Word document (32009/1) 54.23%
                                                                                                                                                                  • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                                                                                                  File name:sample1.doc
                                                                                                                                                                  File size:850432
                                                                                                                                                                  MD5:7dbd8ecfada1d39a81a58c9468b91039
                                                                                                                                                                  SHA1:0d21e2742204d1f98f6fcabe0544570fd6857dd3
                                                                                                                                                                  SHA256:dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
                                                                                                                                                                  SHA512:a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a
                                                                                                                                                                  SSDEEP:12288:emkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCspBZZLFLIx/mBDOq1a:emkvVW9gnyQxtN9eEBDOQa
                                                                                                                                                                  File Content Preview:........................>.......................g...........j...............Z...[...\...]...^..._...`...a...b...c...d...e...f..................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                                  Static OLE Info

                                                                                                                                                                  General

                                                                                                                                                                  Document Type:OLE
                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                  OLE File "sample1.doc"

                                                                                                                                                                  Indicators

                                                                                                                                                                  Has Summary Info:True
                                                                                                                                                                  Application Name:Microsoft Office Word
                                                                                                                                                                  Encrypted Document:False
                                                                                                                                                                  Contains Word Document Stream:True
                                                                                                                                                                  Contains Workbook/Book Stream:False
                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                                  Flash Objects Count:
                                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                                  Summary

                                                                                                                                                                  Code Page:1252
                                                                                                                                                                  Title:
                                                                                                                                                                  Subject:
                                                                                                                                                                  Author:User
                                                                                                                                                                  Keywords:
                                                                                                                                                                  Comments:
                                                                                                                                                                  Template:Normal.dotm
                                                                                                                                                                  Last Saved By:kirin
                                                                                                                                                                  Revion Number:7
                                                                                                                                                                  Total Edit Time:1200
                                                                                                                                                                  Create Time:2020-05-10 00:31:00
                                                                                                                                                                  Last Saved Time:2020-10-28 04:44:00
                                                                                                                                                                  Number of Pages:2
                                                                                                                                                                  Number of Words:89482
                                                                                                                                                                  Number of Characters:510049
                                                                                                                                                                  Creating Application:Microsoft Office Word
                                                                                                                                                                  Security:0

                                                                                                                                                                  Document Summary

                                                                                                                                                                  Document Code Page:1252
                                                                                                                                                                  Number of Lines:4250
                                                                                                                                                                  Number of Paragraphs:1196
                                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                                  Company:
                                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                                  Shared Document:False
                                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                                  Application Version:1048576

                                                                                                                                                                  Streams with VBA

                                                                                                                                                                  VBA File Name: ThisDocument.cls, Stream Size: 3696
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Macros/VBA/ThisDocument
                                                                                                                                                                  VBA File Name:ThisDocument.cls
                                                                                                                                                                  Stream Size:3696
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . ' E . . . . . . . . . . . . . . . . . . . ( . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . .
                                                                                                                                                                  Data Raw:01 16 03 00 00 18 01 00 00 dc 06 00 00 fc 00 00 00 02 02 00 00 ff ff ff ff e3 06 00 00 7b 0b 00 00 00 00 00 00 01 00 00 00 f1 27 45 f5 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 32 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00

                                                                                                                                                                  VBA Code Keywords

                                                                                                                                                                  Keyword
                                                                                                                                                                  #Else
                                                                                                                                                                  VB_Name
                                                                                                                                                                  VB_Creatable
                                                                                                                                                                  ".pdf"):
                                                                                                                                                                  SetTask(Task
                                                                                                                                                                  VB_Exposed
                                                                                                                                                                  Null,
                                                                                                                                                                  Form_Close()
                                                                                                                                                                  ("doc"):
                                                                                                                                                                  Formt,
                                                                                                                                                                  VB_TemplateDerived
                                                                                                                                                                  Function
                                                                                                                                                                  (ByVal
                                                                                                                                                                  String
                                                                                                                                                                  Right(Range.Text,
                                                                                                                                                                  String)
                                                                                                                                                                  Form_Close
                                                                                                                                                                  Long)
                                                                                                                                                                  Long,
                                                                                                                                                                  VB_Customizable
                                                                                                                                                                  Task,
                                                                                                                                                                  ("xls"):
                                                                                                                                                                  FileName:=STP
                                                                                                                                                                  ".xls
                                                                                                                                                                  PtrSafe
                                                                                                                                                                  Left(ActiveDocument.Paragraphs(One).Range.Text,
                                                                                                                                                                  Declare
                                                                                                                                                                  "ThisDocument"
                                                                                                                                                                  SetTask
                                                                                                                                                                  False
                                                                                                                                                                  FileFormat:=wdFormatText
                                                                                                                                                                  Attribute
                                                                                                                                                                  Private
                                                                                                                                                                  VB_PredeclaredId
                                                                                                                                                                  Sleep
                                                                                                                                                                  VB_GlobalNameSpace
                                                                                                                                                                  VB_Base
                                                                                                                                                                  ".pdf,In")
                                                                                                                                                                  Document_Close()
                                                                                                                                                                  VBA Code

                                                                                                                                                                  Streams

                                                                                                                                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x1CompObj
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:114
                                                                                                                                                                  Entropy:4.2359563651
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.25569624217
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.473780805052
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U s e r . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                                                                                                                                                                  Stream Path: 1Table, File Type: data, Stream Size: 7386
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:1Table
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:7386
                                                                                                                                                                  Entropy:5.92077573609
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                                                                  Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                                                                  Stream Path: Data, File Type: data, Stream Size: 187989
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Data
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:187989
                                                                                                                                                                  Entropy:7.97862280177
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:U . . . D . d . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . . . . . . . . . . . . . . . . . . C . . . * . . . . A . . . . . . . . . . . . . . . . . . . . . . t . e . m . p . l . a . t . e . . . . . . . . . . . . . . . b . . . . . . . . . . . . b r . . . . 7 . a . _ . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . b r . . . . 7 . a . _ . . . . P N G . . . . . . . . I H D R . . . O . . . . . . . . . 3 0 . u
                                                                                                                                                                  Data Raw:55 de 02 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a3 31 e3 1d c3 03 c3 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 2a 00 00 00 04 41 01 00 00 00 05 c1 12 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 65 00
                                                                                                                                                                  Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Macros/PROJECT
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Stream Size:367
                                                                                                                                                                  Entropy:5.29037636248
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:I D = " { D 4 7 2 8 3 5 A - 3 8 9 1 - 4 D B 9 - 8 6 F 0 - 0 C 1 2 4 A F F D 6 E 1 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 8 0 A E 9 E F E D E F E D E F E D E F E D " . . D P B = " 9 6 9 4 7 7 F B 8 B 0 7 1 8 0 8 1 8 0 8 1 8 " . . G C = " 2 4 2 6 C 5 8 9 D D 1 6 D E 1 6 D E E 9 " . . . . [ H o s t E x t e n d e r I n f o ]
                                                                                                                                                                  Data Raw:49 44 3d 22 7b 44 34 37 32 38 33 35 41 2d 33 38 39 31 2d 34 44 42 39 2d 38 36 46 30 2d 30 43 31 32 34 41 46 46 44 36 45 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                                                                                                                  Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Macros/PROJECTwm
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:41
                                                                                                                                                                  Entropy:3.07738448508
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                                                                                                                  Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                                                                                                                  Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2845
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:2845
                                                                                                                                                                  Entropy:4.32828178006
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                                  Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                                  Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Macros/VBA/dir
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:513
                                                                                                                                                                  Entropy:6.25624133358
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y { . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                                                                                                                  Data Raw:01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 7b a3 60 0a 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                                                                                                  Stream Path: WordDocument, File Type: data, Stream Size: 627764
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:WordDocument
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:627764
                                                                                                                                                                  Entropy:6.04018774642
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . { . . . . . . . . . . . . . . . . . . . . . . . . - . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . f . . . f . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:ec a5 c1 00 7b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 eb 2d 09 00 0e 00 62 6a 62 6a 84 bd 84 bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 94 09 00 e6 d7 d5 66 e6 d7 d5 66 eb 25 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                  01/14/21-03:32:48.113821TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 64974480192.168.2.3177.130.51.198
                                                                                                                                                                  01/14/21-03:32:50.083093ICMP449ICMP Time-To-Live Exceeded in Transit177.130.48.10192.168.2.3
                                                                                                                                                                  01/14/21-03:32:53.167035ICMP449ICMP Time-To-Live Exceeded in Transit177.130.48.10192.168.2.3

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Jan 14, 2021 03:31:17.467721939 CET5836153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:17.516078949 CET53583618.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:18.245503902 CET6349253192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:18.304785967 CET53634928.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:19.433659077 CET6083153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:19.484662056 CET53608318.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:20.493016005 CET6010053192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:20.552378893 CET53601008.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:22.347606897 CET5319553192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:22.404367924 CET53531958.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:22.934644938 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:22.995167971 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:23.446079969 CET5302353192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:23.494133949 CET53530238.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:23.939429045 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:23.998469114 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:24.955398083 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:25.014638901 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:26.955465078 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:27.014661074 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:30.971551895 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:31.023490906 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:43.270042896 CET4956353192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:43.318037033 CET53495638.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:43.455792904 CET5135253192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:43.503793955 CET53513528.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:44.264404058 CET5934953192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:44.312263012 CET53593498.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:45.099395990 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:45.155900955 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:45.982577085 CET5882353192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:46.030450106 CET53588238.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:46.783137083 CET5756853192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:46.831110954 CET53575688.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:47.558320999 CET5054053192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:47.609205961 CET53505408.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:48.325836897 CET5436653192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:48.373833895 CET53543668.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:49.091344118 CET5303453192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:49.147531986 CET53530348.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:50.035516977 CET5776253192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:50.093086004 CET53577628.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:31:52.749440908 CET5543553192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:31:52.818248034 CET53554358.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:04.694058895 CET5071353192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:04.760720015 CET53507138.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:05.598315001 CET5613253192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:05.659096956 CET53561328.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:19.660710096 CET5898753192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:19.708764076 CET53589878.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:21.869105101 CET5657953192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:21.936005116 CET53565798.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:23.872899055 CET6063353192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:23.939750910 CET53606338.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:24.422291994 CET6129253192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:24.517784119 CET53612928.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:24.752584934 CET6361953192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:24.800654888 CET53636198.8.8.8192.168.2.3
                                                                                                                                                                  Jan 14, 2021 03:32:54.230439901 CET6493853192.168.2.38.8.8.8
                                                                                                                                                                  Jan 14, 2021 03:32:54.278379917 CET53649388.8.8.8192.168.2.3

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                  Jan 14, 2021 03:32:23.872899055 CET192.168.2.38.8.8.80x9b6dStandard query (0)pornthash.mobiA (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:24.422291994 CET192.168.2.38.8.8.80xd192Standard query (0)mov.pornthash.mobiA (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:24.752584934 CET192.168.2.38.8.8.80xe98eStandard query (0)ip166475689.ahcdn.comA (IP address)IN (0x0001)

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                  Jan 14, 2021 03:32:23.939750910 CET8.8.8.8192.168.2.30x9b6dNo error (0)pornthash.mobi104.21.4.61A (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:23.939750910 CET8.8.8.8192.168.2.30x9b6dNo error (0)pornthash.mobi172.67.154.11A (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:24.517784119 CET8.8.8.8192.168.2.30xd192No error (0)mov.pornthash.mobi104.21.4.61A (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:24.517784119 CET8.8.8.8192.168.2.30xd192No error (0)mov.pornthash.mobi172.67.154.11A (IP address)IN (0x0001)
                                                                                                                                                                  Jan 14, 2021 03:32:24.800654888 CET8.8.8.8192.168.2.30xe98eNo error (0)ip166475689.ahcdn.com188.209.213.202A (IP address)IN (0x0001)

                                                                                                                                                                  Code Manipulations

                                                                                                                                                                  Statistics

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  Analysis Process: WINWORD.EXE PID: 1536 Parent PID: 792

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:20
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                                  Imagebase:0x350000
                                                                                                                                                                  File size:1937688 bytes
                                                                                                                                                                  MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 1004 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:42
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6192 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:46
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6588 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:56
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6684 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:57
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6720 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:58
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6776 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:58
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6792 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:58
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6880 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:59
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: SgrmBroker.exe PID: 6944 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:31:59
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                  Imagebase:0x7ff673870000
                                                                                                                                                                  File size:163336 bytes
                                                                                                                                                                  MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: svchost.exe PID: 6976 Parent PID: 568

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:32:00
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                                  Imagebase:0x7ff7488e0000
                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Analysis Process: certutil.exe PID: 6392 Parent PID: 4940

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:32:16
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\certutil.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
                                                                                                                                                                  Imagebase:0x7ff6b94e0000
                                                                                                                                                                  File size:1557504 bytes
                                                                                                                                                                  MD5 hash:EB199893441CED4BBBCB547FE411CF2D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  Analysis Process: conhost.exe PID: 6372 Parent PID: 6392

                                                                                                                                                                  General

                                                                                                                                                                  Start time:03:32:16
                                                                                                                                                                  Start date:14/01/2021
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff6b2800000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Code Analysis

                                                                                                                                                                  Reset < >