Windows Analysis Report instruct_11.21.doc.docm

Overview

General Information

Sample Name:	instruct_11.21.doc.docm
Analysis ID:	520837
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Tags:	docmaldocsansiscvba
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Sigma detected: Suspicious MSHTA Process Patterns

Document exploit detected (process start blacklist hit)

Machine Learning detection for sample

Document contains no OLE stream with summary information

Queries the volume information (name, serial number etc) of a device

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Document has an unknown application name

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Internet Provider seen in connection with other malware

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Perma Link

Antivirus detection for URL or domain

Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shoulderelliottd.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: instruct_11.21.doc.docm

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 194.62.42.144:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shoulderelliottd.com

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 194.62.42.144:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ZEISS-ASRU ZEISS-ASRU

Source: mshta.exe, 00000006.00000003.713921343.0000000006569000.00000004.00000001.sdmp	String found in binary or memory: http://en.wF
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: mshta.exe, 00000006.00000003.728745747.000000000652C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728238876.00000000065D3000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728533924.000000000322E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728654834.000000000652C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.727987202.000000000A7E1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728554785.00000000031A9000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728398097.000000000A9E3000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.730091556.00000000031AA000.00000004.00000001.sdmp	String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.office.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.entity.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cr.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://directory.services.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.windows.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: mshta.exe, 00000006.00000003.726000483.0000000008AC6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.local
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://management.azure.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://management.azure.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://osi.office.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://roaming.edog.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://tasks.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: shoulderelliottd.com

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click 'Enable content" Page1 of 1 116words It? O
Source: Screenshot number: 4	Screenshot OCR: Enable content" Page1 of 1 116words It? O Type here to search Ki E a a g wg m % - I + lOW, sf

Document contains an embedded VBA macro which may execute processes

Source: instruct_11.21.doc.docm

OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad

Document contains an embedded VBA macro with suspicious strings

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function s, String wscript: Set dowYouKarol = CreateObject("wscript.shell")			Name: s

Document contains no OLE stream with summary information

Source: instruct_11.21.doc.docm	OLE indicator has summary info: false
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document has an unknown application name

Source: instruct_11.21.doc.docm	OLE indicator application name: unknown
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Sub document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function document_open			Name: document_open

Document contains embedded VBA macros

Source: instruct_11.21.doc.docm

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{C3E5254C-1D9D-4106-BDD1-A5AF4468DA85} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOCM@6/18@1/1

Source: instruct_11.21.doc.docm	OLE document summary: title field not present or empty
Source: instruct_11.21.doc.docm	OLE document summary: edited time not present or 0
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: instruct_11.21.doc.docm

Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c

Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 6_2_057AB5B1 push esp; retf		6_2_057AB5B2
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 6_2_057AC44D push ebx; retf		6_2_057AC44E

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: mshta.exe, 00000006.00000003.728480223.0000000008A91000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000002.921617169.0000000000B5A000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: explorer.exe, 00000004.00000002.663261965.0000000000ED8000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.921617169.0000000000B5A000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\9

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.62.42.144	shoulderelliottd.com	Russian Federation		34464	ZEISS-ASRU	true

Contacted Domains

Name	IP	Active
shoulderelliottd.com	194.62.42.144	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Perma Link

Antivirus detection for URL or domain

Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shoulderelliottd.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: instruct_11.21.doc.docm

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 194.62.42.144:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shoulderelliottd.com

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 194.62.42.144:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ZEISS-ASRU ZEISS-ASRU

Source: mshta.exe, 00000006.00000003.713921343.0000000006569000.00000004.00000001.sdmp	String found in binary or memory: http://en.wF
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: mshta.exe, 00000006.00000003.728745747.000000000652C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728238876.00000000065D3000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728533924.000000000322E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728654834.000000000652C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.727987202.000000000A7E1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728554785.00000000031A9000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.728398097.000000000A9E3000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.730091556.00000000031AA000.00000004.00000001.sdmp	String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.office.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.entity.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://cr.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://directory.services.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.windows.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: mshta.exe, 00000006.00000003.726000483.0000000008AC6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.local
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://management.azure.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://management.azure.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://osi.office.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://roaming.edog.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://tasks.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 24FED24A-A137-4984-A755-6A68F4E24F72.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: shoulderelliottd.com

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on the top bar, and then click 'Enable content" Page1 of 1 116words It? O
Source: Screenshot number: 4	Screenshot OCR: Enable content" Page1 of 1 116words It? O Type here to search Ki E a a g wg m % - I + lOW, sf

Document contains an embedded VBA macro which may execute processes

Source: instruct_11.21.doc.docm

OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad

Document contains an embedded VBA macro with suspicious strings

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function s, String wscript: Set dowYouKarol = CreateObject("wscript.shell")			Name: s

Document contains no OLE stream with summary information

Source: instruct_11.21.doc.docm	OLE indicator has summary info: false
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document has an unknown application name

Source: instruct_11.21.doc.docm	OLE indicator application name: unknown
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: instruct_11.21.doc.docm	OLE, VBA macro line: Sub document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function document_open			Name: document_open

Document contains embedded VBA macros

Source: instruct_11.21.doc.docm

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: instruct_11.21.doc.docm

Virustotal: Detection: 49%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{C3E5254C-1D9D-4106-BDD1-A5AF4468DA85} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOCM@6/18@1/1

Source: instruct_11.21.doc.docm	OLE document summary: title field not present or empty
Source: instruct_11.21.doc.docm	OLE document summary: edited time not present or 0
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: instruct_11.21.doc.docm

Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c

Source: ~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 6_2_057AB5B1 push esp; retf		6_2_057AB5B2
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 6_2_057AC44D push ebx; retf		6_2_057AC44E

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: mshta.exe, 00000006.00000003.728480223.0000000008A91000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000002.921617169.0000000000B5A000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: explorer.exe, 00000004.00000002.663261965.0000000000ED8000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.921617169.0000000000B5A000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\9

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.921760286.00000000012C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

ID:	520837
Product:	CloudBasic
Start time:	21:12:36
Start date:	12.11.2021
Sample:	instruct_11.21.doc.docm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a9490d94cf547e27dcc0d52dc72e74e7
SHA1:	a00e440eb13f84c8b8faba5b81a7d85fce2a4074
SHA256:	ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\~$wPowNext.hta	data	95C14D156764B73CF96CCC17D84EB18A	D80ACFC1D099FEBDD2F72F340AB4C9CC198B3849	488020AAB3E0B07FC9B52A490063B520A82D5F9BDA874E4B021E41DBA5848D9C
C:\Users\Public\~WRD0000.tmp	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\24FED24A-A137-4984-A755-6A68F4E24F72	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	2D93B770096E7B50E7CC1A39E615A77B	DF7FB0B6BCB9BF96CD8569FBEFE4F9955DD3E103	5566F5C1F509E7A67AEF79EC286E15F325E66BC8B386109EA51A28A2B4DC27EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C4F64A59.gif	GIF image data, version 89a, 774 x 198	76DA3E2154587DD3D69A81FCDB0C7364	0F23E27B3A456B22A11D3FBC3132397B0DDC9357	F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C8F000F6-2878-4270-8CA4-E7B38F5CB954}.tmp	Composite Document File V2 Document, Cannot read section info	98679A82C6CF77E2F15931A7342CA103	9EEA479836E1339FAE5638A68CFB2ACF098DDF44	4E51EAFC653B9E3187FE8D35E6D0E5E0A764B9C242A07FF879B55194F5FFA3B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D1BBD753-2A54-49B7-9D6A-D5C5939D5159}.tmp	data	DEDC6320F5E8B7E7877C43BB5618EA55	2143954452A74AA00B077664B82544E1DAA51AC2	37EDEA11F289D8863015712C82ADF36A17584793B49D6222F70D4BD0B9DF8A8C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F8C6CC2A-BDEA-4097-B472-52AC1B92BF84}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\warning[1]	GIF image data, version 89a, 36 x 38	124A9E7B6976F7570134B7034EE28D2B	E889BFC2A2E57491016B05DB966FC6297A174F55	5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\error[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B9BEC45642FF7A2588DC6CB4131EA833	4D150A53276C9B72457AE35320187A3C45F2F021	B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Fri Nov 12 19:13:31 2021, atime=Thu Jun 27 13:51:23 2019, length=4096, window=hide	465C0AEC837CC8697C8CD57F5A66FB05	76B352C132EB8DC5A21CCCAED74850D17854C229	3222129BED9852295A68A9FA4ED4BFF0312F13048A65457E458498196FA9A057
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	DCA4A396D04FA90AA6FFE392A9C095E8	16DA2BBD8D79B762920FEE5575281549B85D369C	02AD6424B4261833587959DB735F9910EE0A7B2347A2377661632FABCD9E9EE6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\instruct_11.21.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:50 2020, mtime=Fri Nov 12 19:13:29 2021, atime=Fri Nov 12 19:13:26 2021, length=34817, window=hide	E7FEFD635F09309203942DD2078DAAA8	71C3C48FD94F3A41F5F104CE9F2DE7E44503160C	916725731AAB0FFD39E33670CC9B3BA7AAA6E14DB49490AFA69CAC72764B6F84
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\powPowNext.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 12 19:13:31 2021, mtime=Fri Nov 12 19:13:31 2021, atime=Fri Nov 12 19:13:31 2021, length=3346, window=hide	7C3333CE0D78A49B4FFF38D2B04184AF	B1CE6C24AEC6C182B448A005AFFC1435E3904D34	9541DF2DD7BFE2BA09B7CDAAA64241ACF795D6BB3BA7727934B074A18096AE85
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	95C14D156764B73CF96CCC17D84EB18A	D80ACFC1D099FEBDD2F72F340AB4C9CC198B3849	488020AAB3E0B07FC9B52A490063B520A82D5F9BDA874E4B021E41DBA5848D9C
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	C4F79900719F08A6F11287E3C7991493	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
C:\Users\user\Desktop\~$struct_11.21.doc.docm	data	95C14D156764B73CF96CCC17D84EB18A	D80ACFC1D099FEBDD2F72F340AB4C9CC198B3849	488020AAB3E0B07FC9B52A490063B520A82D5F9BDA874E4B021E41DBA5848D9C
C:\users\public\powPowNext.hta (copy)	HTML document, ASCII text, with very long lines, with CRLF line terminators	FA2B89027304712FB8366C1F6B4F2827	6F851332C08998D25D839112A5C9D3CA8E57FCC0	6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE

Windows Analysis Report instruct_11.21.doc.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains